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Message  from  the  Director 


Systems  depend  on  software. 

It  is  software  that  provides  a  system's  "brains, 
heart,  and  soul"  and  the  ability  to  interact  with 
people  and  other  systems.  Whether  on  the  battle¬ 
field  or  in  the  global  marketplace,  delivering 
the  right  software  to  end  users  is  fundamental 
to  success.  The  challenge  is  to  do  it  faster  than 
anyone  else,  but  with  predictable  performance, 
quality,  cost,  and  schedule.  New  technical 
challenges  make  the  development  of  software 
more  difficult  and  require  the  development  and 
adoption  of  new  software  engineering  practices. 
The  SEI  exists  to  help  others  improve  their  soft¬ 
ware  engineering  capabilities  by  advancing  the 
state  of  the  practice  of  software  engineering. 

With  this  in  mind,  the  SEI's  work  is  centered  on 
three  technical  themes: 


1.  Move  TO  the  left.  Much  of  the  SEI's  work  supports  the  engineering 
analysis  of  software  issues  early  in  the  system's  life  cycle.  This 
results  in  systems  built  right  the  first  time,  with  less  testing, 
increased  quality,  and  reduced  costs. 

2.  Reuse  everything.  A  systematic  and  strategic  approach  to  reuse 
is  one  key  to  reducing  cost,  increasing  productivity,  and  improving 
reliability.  Software  architecture  and  the  development/acquisition 
process  can  exploit  common  elements  among  systems  and  provide 
opportunities  to  reuse  products,  software  assets,  and  knowledge- 
based  artifacts  (e.g.,  architecture,  requirements  plans)  for  families 
of  similar  products. 

3.  Never  make  the  same  mistake  twice.  Because  of  the  rapid  pace  of 
technological  change,  software  and  systems  engineers  need  to  learn 
from  the  experiences  of  others.  The  SEI  disseminates  lessons  learned 
and  case  studies  based  on  real-world  experience,  providing  practi¬ 
tioners  a  neutral  and  objective  source  through  which  they  can  share  their 
knowledge  and  experience  and  interact  with  others.  Furthermore,  SEI 
training  materials,  guidelines,  frameworks,  improvement  models,  and 
publications  help  engineers  and  organizations  use  the  best  practices 
in  developing,  acquiring,  and  sustaining  systems. 

These  three  technical  themes  provide  a  conceptual  framework  for  the 
SEI's  comprehensive  body  of  work,  which  is  summarized  in  this  annual 
report.  The  SEI  annual  report  for  fiscal  year  2001  presents  the  SEI's  major 
accomplishments  in  pursuit  of  its  mission  and  summarizes  progress 
toward  achieving  the  SEI's  vision  for  the  practice  of  software  engineering: 
"the  right  software,  delivered  defect  free,  on  time  and  on  cost,  every  time." 


Stephen  E.  Cross 

Director  and  Chief  Executive  Officer, 
Software  Engineering  Institute 
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THE  RIGHT  SOFTWARE,  DELIVERED  DEFECT  FREE, 
ON  TIME  AND  ON  COST,  EVERY  TIME. 


TO  BE  SUCCESSFUL,  INTEGRATED  TEAMS  OF  DEVELOPERS, 
ACQUIRERS,  AND  SOFTWARE  USERS  MUST  HAVE  THE 
NECESSARY  SOFTWARE  ENGINEERING  SKILLS  AND  KNOWLEDGE 
TO  ENSURE  THAT  THE  RIGHT  SOFTWARE  IS  DELIVERED  TO 
END  USERS. 

"RIGHT  SOFTWARE"  IMPLIES  SOFTWARE  THAT  SATISFIES 
REQUIREMENTS  FOR  FUNCTIONALITY,  PERFORMANCE,  AND 
COST  THROUGHOUT  ITS  LIFETIME. 

"DEFECT-FREE"  SOFTWARE  IS  ACHIEVED  EITHER  THROUGH 
EXHAUSTIVE  TESTING  AFTER  CODING  OR  BY  DEVELOPING  THE 
CODE  RIGHT  THE  FIRST  TIME.  THE  SEI'S  BODY  OF  WORK  IN 
TECHNICAL  AND  MANAGEMENT  PRACTICES  IS  FOCUSED  ON 

DEVELOPING  IT  RIGHT  THE  FIRST  TIME,  WHICH  RESULTS 
NOT  ONLY  IN  HIGHER  QUALITY,  BUT  ALSO  IN  PREDICTABLE 
AND  IMPROVED  SCHEDULE  AND  COST. 


V _ y 
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TO  PROVIDE  THE  TECHNICAL  LEADERSHIP  TO  ADVANCE  THE 

PRACTICE  OF  SOFTWARE  ENGINEERING  SO  THE  DOD  CAN  ACQUIRE 

AND  SUSTAIN  ITS  SOFTWARE- 1 NTENSIVE  SYSTEMS  WITH 

PREDICTABLE  AND  IMPROVED  COST,  SCHEDULE,  AND  QUALITY. 

THE  SEI  MISSION  INCLUDES  FOUR  OBJECTIVES: 

1.  ACCELERATE  THE  INTRODUCTION  AND  WIDESPREAD  USE 
OF  HIGH-PAYOFF  SOFTWARE  ENGINEERING  PRACTICES 
AND  TECHNOLOGY  BY  IDENTIFYING,  EVALUATING,  AND 
MATURING  PROMISING  OR  UNDERUSED  TECHNOLOGY 
AND  PRACTICES. 

2.  MAINTAIN  A  LONG-TERM  COMPETENCY  IN  SOFTWARE 
ENGINEERING  AND  TECHNOLOGY  TRANSITION. 

3.  ENABLE  INDUSTRY  AND  GOVERNMENT  ORGANIZATIONS 
TO  MAKE  MEASURED  IMPROVEMENTS  IN  THEIR  SOFTWARE 
ENGINEERING  PRACTICES  BY  WORKING  WITH  THEM 
DIRECTLY. 

4.  FOSTERTHEADOPTION  AND  SUSTAINED  USE  OF  STANDARDS 
OF  EXCELLENCE  FOR  SOFTWARE  ENGINEERING  PRACTICE. 


V _ J 
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THE  SEI'S  STRATEGIC  APPROACH  TO  ACHIEVING  ITS  MISSION  CAN  BE 
SUMMARIZED  IN  THREE  WORDS:  CREATE,  APPLY,  AND  AMPLIFY. 


The  SEI  works  with  the  re¬ 
search  COMMUNITY  TO  HELP 
CREATE  AND  IDENTIFY  NEW 


The  SEI  works  with  leading- 

edge  SOFTWARE  DEVELOPERS 
AND  ACQUIRERS  TO  APPLY  AND 


AMPLIFY 


The  SEI  works  through  the 

GLOBAL  COMMUNITY  OF  SOFT¬ 
WARE  ENGINEERS  TO  AMPLIFY 


AND  IMPROVED  PRACTICES. 

The  SEI  creates  and  identifies 
emerging  or  underused  solu¬ 
tions  to  significant  and  per¬ 
vasive  software  engineering 
problems  and  develops  these 
solutions  so  that  they  can  be 
applied  by  software  develop¬ 
ers  and  acquirers  to  improve 
their  software  engineering 
practices.  The  SEI  enters  into 
cooperative  research  and 
development  agreements 
(CRADAs)  with  industry  and 
academia  to  test  new  and 
emerging  technologies. 

2001  Highlights: 

(see  page  ii) 

m  Sustained  technical  leader¬ 
ship  and  publication  record 

■  Initiated  new  work  in  soft¬ 
ware  component  certification 

■  Supported  development  and 
initial  use  of  the  CMMI™ 
framework 


VALIDATE  THE  NEW  AND  IM¬ 
PROVED  PRACTICES. 

SEI  staff  members  help  the  DoD 
solve  specific  software  engineer¬ 
ing  and  acquisition  problems  by 
applying  these  practices.  SEI  di¬ 
rect  support  is  funded  through 
task  orders  for  government  work. 

2001  Highlights: 

^sec  page  12) 

m  Created  planned  programs  of 
work  with  senior  acquisition 
executives  in  the  U.S.  Army, 
Navy,  and  Air  Force  to  institute 
new  and  improved  practices 
within  the  acquisition  commu¬ 
nity  and  industry  bases 

■  Demonstrated  and  documented 
a  DoD  case  study  of  product  line 
practice 

■  Positioned  the  CERT®  Coordina¬ 
tion  Center  (CERT/CC)  and  the  SEI 
to  anticipate  new  threats  to  net¬ 
worked  systems  and  to  have 
more  impact 

■  Demonstrated  and  documented 
defect-free  software-develop¬ 
ment  methods 


THE  IMPACT  OF  THE  NEW  AND 
IMPROVED  PRACTICES  BY  EN¬ 
COURAGING  AND  SUPPORTING 
THEIR  WIDESPREAD  ADOPTION. 

The  SEI  works  closely  with  DoD 
engineering  organizations. 

In  addition,  the  SEI  offers  con¬ 
tinuing  education  courses 
based  on  matured,  validated, 
and  documented  solutions. 

The  SEI  also  licenses  the  pack¬ 
aging  and  delivery  of  new 
and  improved  technologies, 
working  with  developers  and 
acquirers  as  well  as  with 
"transition  partners"-DoD 
and  industry  organizations 
that  help  others  adopt  new 
technology. 

2001  Highlights: 

(see  page  13) 

m  Amplified  the  impact  of 
the  CERT/CC 

■  Documented  evolutionary 
acquisition  (EA)  practices  for 
software-intensive  systems 

_ J 
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THESE  ARE  THE 


COMMUNITIES  OF  PRACTICE 


THAT  THE  SEI  SERVES 


THE  SEI  WORKS  WITH  THREE  DISTINCT  COMMUNITIES  TO  IDENTIFY, 

MATURE,  TRANSITION,  AND  FACILITATE  THE  BROAD  ADOPTION  OF 

NEW  AND  IMPROVED  PRACTICES. 

1.  DEVELOPERS,  IN  INDUSTRY  AND  DOD  ORGANIZATIONS,  ARE 
THOSE  WHO  ACTUALLY  BUILD  THE  SOFTWARE  THAT  IS  INTEGRATED 
INTO  SYSTEMS. 

2.  ACQUIRERS  ARE  THOSE  DOD  ACQUISITION  COMMANDS  AND 
ORGANIZATIONS  RESPONSIBLE  FOR  OBTAINING  SYSTEMS  NEEDED 
TO  ACCOMPLISH  THEIR  MISSIONS  THROUGH  CONTRACTS  WITH 
INDUSTRY. 

3.  RESEARCHERS  ARE  THOSE  WHO  TYPICALLY  WORK  IN  UNIVER¬ 
SITY,  DOD,  AND  INDUSTRY  RESEARCH  CENTERS.  THEY  DEVELOP 
NEW  AND  IMPROVED  SOFWARE  ENGINEERING  TECHNOLOGIES 
AND  PRACTICES. 


SEI  Annual  Report  fy20oi 


Highlights  for  2001 


A 


SEI's 

helping  othe^ 
software  en|i 


EGIC  FUNetlONS 

b  improve  their 
i leering  practices 


il 


Sustained  technical  leadership  and  publication  RECORD-The  SEI 

staff  continued  to  advance  research  in  the  field  of  software  engineer¬ 
ing.  An  articie  by  R.  L.  Glass  and  T.  Y.  Chen  In  the  Journal  of  Systems 
and  Software  59  {2001),  pp.  107-113,  rates  Carnegie  Mellon/SEI  the 
number  one  Institution  for  publishing  scholarly  articles  in  the  fieid 
of  systems  and  software  engineering.  For  a  list  of  FY2001  staff  accom- 
piishments,  see  page  50. 

Initiated  new  work  in  software  component  certification- 

Th rough  an  SEI  project  called  "Predictable  Assembly  from  Certifiable 
Components,"  the  SEI  began  exploring  the  feasibiiity  of  industriai 
certification  for  software  components.  This  work  is  based  on  the 
premise  that  component  properties  that  can  be  used  in  predictive 
modeis  of  system  behavior  (component  assembiies)  can  be  indepen¬ 
dently  certified,  and  that  the  predictive  models  can  also  be  empiri¬ 
cally  validated  and  independentiy  certified.  The  intended  result  of 
this  work  will  be  an  engineering  discipline  for  predictabie  assembiy 
from  certifiabie  components. 

Supported  development  and  initial  use  of  the  CMMI  Framework- 

Since  the  first  reiease  of  the  Capabiiity  Maturity  Modei®  for  Software 
(SW-CMM®)  in  1991,  software  process  improvement  based  on  the  SW- 
CMM  has  helped  more  than  5,000  organizations  woridwide  improve 
their  software  engineering  practices.  The  Capability  Maturity  Modei 
Integration  (CMMP")  project,' jointiy  sponsored  by  the  Office  of  the 
Under  Secretary  of  Defense  (Acquisition,  Technoiogy,  and  Logistics) 
(OUSD/AT&L)  and  the  Systems  Engineering  Committee  of  the  National 
Defense  Industrial  Association  (NDIA),  builds  on  the  SEI's  longstand¬ 
ing  expertise  In  process  improvement.  CMMI  facilitates  the  use  of 
multiple  CMMs  for  Improvement  in  multipie  discipiines.  The  first  CMMI 
models  were  publicly  released  In  2001  and  have  gained  support  from 
a  wide  range  of  government  and  industry  organizations.  A  transition- 
focused  workshop  brought  together  eariy  adopters  of  CMMI  to  gather 
lessons  learned  about  successful  CMMI  adoption.  To  date,  more  than 
20  pilots  of  CMMI  have  been  conducted-10  In  2001-in  a  wide  range 
of  organizationai  contexts.  The  impact  of  this  work  wili  be  amplified 
by  the  more  than  40  organizations  (listed  on  pages  60-61)  that  have 
been  authorized  by  the  SEI  to  offer  training  and  appraisai  services 
related  to  the  CMMI  models. 


Left: 

Transitioning  to  CMMI:  A  Guide  for 
Executives,  created  by  members  of 
the  CMMI  Product  Team,  presents 
the  business  case  for  CMMI. 


Right: 

SEI  staff  members  were  active  and 
highly  visible  within  the  research 
community  in  component-based 
software  engineering  in  2001.  Judith 
Stafford  and  Kurt  Walinau  of  the  SEi 
are  guest  editors  for  a  forthcoming 
speciai  edition  about  component- 
based  software  engineering  of  The 
Journal  of  Systems  and  Software. 
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Created  planned  programs  of  work  with  senior  acquisition 
EXECUTIVES  in  THE  U.S.  ARMY,  NAVY,  AND  AlR  FORCE  TO  INSTITUTE 
NEW  AND  IMPROVED  PRACTICES  WITHIN  THE  ACQUISITION  COMMUNITY 
AND  INDUSTRY  BASES-Pop  example,  the  SEI  undertook  a  new  portfo¬ 
lio  of  work  for  the  Assistant  Secretary  of  the  Army  (Acquisition, 
Technology,  and  Logistics);  see  Army  Workshop  on  Lessons  Learned 
from  Software  Upgrade  Programs.^  Also  see  page  39. 

Demonstrated  and  documented  a  DoD  case  study  of  product 
LINE  PRACTiCE-The  SEI  helped  the  U.S.  National  Reconnaissance 
Office  make  dramatic  improvements  through  a  strategic  and  system¬ 
atic  reuse  of  software  assets  across  a  family  of  similar  ground-based 
spacecraft  command-and-control  systems.  A  case  study  of  this 
project  was  included  in  Software  Product  Lines:  Practices  and 
Patterns  by  Paul  Clements  and  Linda  Northrop,  one  of  five  books 
published  by  SEI  staff  members  this  year  in  the  SEI  Series  in  Software 
Engineering. 5  The  case  study**  documents  measurable  benefits  on  one 
operational  system,  including  a  sevenfold  increase  in  productivity, 
tenfold  increase  in  quality,  and  50%  reductions  in  cost  and  schedule. 

Positioned  the  CERT®  Coordination  Center  (CERT/CC)  and  the  SEI 

TO  ANTICIPATE  NEW  THREATS  TO  NETWORKED  SYSTEMS  AND  TO  HAVE 
MORE  IMPACT-During  calendar  year  2001,  the  CERT/CC-the  nation's 
first  and  best-known  computer  emergency  response  team-handled 
52,658  incidents,  catalogued  2,437  vulnerabilities,  published  41  security 
alerts,  and  provided  testimony  to  two  congressional  hearings  and 
one  committee  of  the  Pennsylvania  House  of  Representatives. = 

The  CERT/CC  also  collaborated  with  other  government  and  industry 
organizations  and  played  a  major  role  in  alerting  the  Internet 
community,  providing  reliable  information,  and  helping  to  mitigate 
the  damage  caused  by  such  threats  as  the  Code  Red  and  Nimda 
worms. 

Demonstrated  and  documented  defect-free  software-develop¬ 
ment  METHODS-Results  from  adopters  of  the  Team  Software  Process^" 
(TSpsM)6  continued  to  validate  the  SEI's  vision  of  defect-free  software. 
On  efforts  ranging  from  a  few  thousand  lines  of  code  up  to  100,000 
lines  of  code,  typical  TSP  projects  produce 

■  near-zero  defects  in  delivered  software 

■  product  quality  that  is  from  two  to  ten  times  better  than 
comparable  projects  in  the  same  organization 

■  cost  and  schedule  performance  that  are  within  10% 
of  planned  values 

■  reduced  test  costs  and  schedules  (five  to  ten  times,  from 
months  to  days) 


AMPLIFIED  THE  IMPACT  OF  THE  CERT/CC  THROUGH  THE  SURVIVABLE 
Systems  Initiative  (see  page  15) 

■  The  SEI  and  the  Electronic  Industries  Alliance  (EIA),  a  federation 
of  trade  associations,  formed  the  Internet  Security  Alliance  (ISA),' 
an  international  coalition  of  industry,  information  security,  and 
academic  leaders.  The  ISA  leverages  the  collective  experience  of 
its  members  to  promote  sound  information  security  practices, 
policies,  and  technologies  that  enhance  the  security  of  the  Internet 
and  global  information  systems.  The  founding  sponsors  of  the 
ISA  are  listed  to  the  right. 

■  The  SEI  published  the  OCTAVE™  (Operationally  Critical  Threat, 
Asset,  and  Vulnerability  Evaluation™)  Method  Implementation 
Guide.’^The  OCTAVE  method  is  a  self-directed  risk  evaluation  for 
information  security.  The  guide  contains  everything  needed  to 
implement  the  OCTAVE  method  in  an  organization. 

Documented  evolutionary  acquisition  (EA)  practices  for 
SOFTWARE-INTENSIVE  SYSTEMS- Recent  changes  in  government  policy 
have  emphasized  EA,  which  extends  the  risk-management  aspects 
of  spiral  development  to  earlier  stages  of  software  development.  The 
SEI  conducted  a  workshop/tutorial  on  EA  at  the  nth  Annual  PEO/ 
SYSCOM  (Program  Executive  Officers/Systems  Command)  Conference 
in  October  2001,  surfacing  successes  and  barriers  to  success  with  EA. 
The  SEI  also  published  a  report  on  the  second  Spiral  Development 
and  Evolutionary  Acquisition  Workshop,  co-sponsored  by  the  SEI 
and  the  University  of  Southern  California  in  September  2000.  This 
workshop  explored  the  relationship  between  spiral  development 
and  EA.5 


Founding  Sponsors 

OF  THE  ISA 

■  American  Interna¬ 
tional  Group,  Inc. 

■  Exodus  Communi¬ 
cations,  Inc. 

■  Guardent,  Inc. 

■  IBM 

■  ITT  Industries 

■  Mellon  Financial 
Corporation 

■  Nasdaq,  Inc. 

■  Norsk  Tipping 

■  Raytheon 

■  Redleaf  Group, 

Inc. 

■  Sony 

■  TATA  Consulting 
Services 

■  TRW,  Inc. 

■  University  of  Texas 

■  Verisign,  Inc. 


Right: 

Addison-Wesley  published  the  CERT®  Guide  to  System  and 
Network  Security  Practices,  written  by  Julia  Allen,  one  of 
the  books  published  this  year  in  the  SEI  Series  in  Software 
Engineering.  The  book  provides  a  clear,  comprehensive, 
and  easy-to-follow  set  of  state-of-the-art  security  practices 
and  answers  the  question.  What  Is  the  best  way  to  protect 
computer  networks  and  systems?  The  baok  has  already  been 
translated  Into  Finnish  and  Japanese;  these  translations 
will  be  published  within  the  coming  year. 


H  I-hc 

CERT  Guide 
to  System  and 
I  Network  Security 
j  Practices 


* 


Julia  FT.  Allen 


Left: 

(I  ta  r)  Dave  McCurdy,  president,  EIA; 

Allan  P.  Woads,  vice  chairman  and 
chief  informatian  officer,  Mellon 
Financial  Corporation;  and  Richard 
D.  Pethia,  SEI,  at  press  conference 
announcing  launch  of  the  ISA. 

_ y 
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SEI  Technical  Initiatives 


■  SuRvivABLE  Systems 

■  Team  Software  Process 

■  Capability  maturity  Model  Integration 

■  Product  Line  Practice 

■  COTS-Based  Systems 

■  Performance-Critical  Systems 

■  Architecture  Tradeoff  Analysis 

■  Software  Engineering  measurement 
AND  Analysis 

■  Accelerating  Software  Technology 
Adoption 


SEI  Technical  Initiatives 


The  Internet  has  grown  exponentially  in  the  past  decade.  What  was 
once  a  small  community  of  professionals  exchanging  research  information 
has  become  a  diverse  group  of  students  and  researchers,  novices  and 
experts.  Many  commercial  and  government  organizations  depend  on  the 
Internet  for  their  day-to-day  operations.  As  users  have 
become  more  diverse,  so  have  the  hardware,  software, 
and  services  available  from  Internet  service  providers, 

Web  sites,  programmers,  and  technology  companies. 

This  combination  of  users,  services,  and  high  expecta¬ 
tions  poses  serious  threats  to  government  agencies,  industries,  and 
organizations  that  now  live  in  and  rely  on  an  electronic  world  where, 

10  years  ago,  trust  was  assumed. 

The  SEI  began  work  in  the  area  of  computer  and  network  security  in  1988 
when  the  institute  established  the  CERT®  Coordination  Center  (CERT/CC)  in 
response  to  an  attack  on  the  Internet.  The  CERT/CC  serves  as  a  computer 
emergency  response  team  and  a  central  point  for  communication  among 
computer  experts.  The  CERT/CC  has  evolved  into  a  national  resource 
recognized  as  the  preeminent  network  security  organization  in  the  world. 
CERT/CC  technical  experts  are  routinely  called  upon  by  their  sponsors 
and  by  national  and  homeland-security  leaders  to  identify  and  recom¬ 
mend  remedies  to  security  problems  in  the  Internet  infrastructure. 

Incidents  and  vulnerabilities  reported  to  the  CERT/CC  have  doubled  year 
by  year.  During  2001,  the  CERT/CC  staff  processed  52,658  separate 
incident  reports  as  opposed  to  21,756  the  previous  year.  Vulnerabilities 
reported  to  the  CERT/CC  have  increased  at  nearly  the  same  alarming  rate: 
2,420  in  2001,  more  than  double  the  1,090  reported  in  2000.  Analysis  done 
on  these  reports  enables  the  CERT/CC  to  provide  the  DoD  and  other  critical 
national  infrastructure  operators  with  the  analysis  reports  they  need  to 
protect  themselves  from  threats  and  vulnerabilities  and  to  recover 
quickly  from  security  breaches. 


SuRvivABLE  Systems 

V _ ^ _ 


Left: 

On  Monday,  January  29,  2001,  the  CERT/CC  and  the  COVERT 
Labs  at  PGP  Security  simultaneously  released  advisories 
describing  serious  vulnerabilities  in  BIND,  the  most  commonly 
used  software  for  domain  name  system  (DNS)  servers.  The 
CERT/CC  released  an  advisory,  held  a  press  conference,  and 
conducted  several  media  interviews  about  the  BIND 
vulnerabilities. 

Data  published  by  Men  Gz  Mice,  a  DNS  consultancy  and  soft¬ 
ware  firm,  indicated  that  the  CERT/CC's  efforts  to  alert  the 
community  about  these  vulnerabilities  had  a  positive  impact. 
As  reported  in  Computerworld,'°  "The  day  after  the  CERT  and 
[PGP  Security]  sent  out  the  warnings,  33.3%  of  Fortune  i,ooo 
sites  were  using  a  bad  version  of  BIND  and  ko.27%  of  .corns 
were  vulnerable.  A  week  later,  the  figures  were  down  to  I7.k% 
and  16.73%,  respectively.  Men  Sr  Mice  said." 

The  report  on  the  Men  Rr  Mice  Web  site  attributed  this  drop 
to  "the  extensive  media  coverage  and  attention  that  this 
issue  received  shortly  after  the  CERT  announcement;  technical 
engineers  evidently  responded  promptly  and  installed  the 
necessary  software  fixes  provided  to  fix  this  security  hole. " 
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CERT/CC  staff  members  provide  advice  and  convey  information  about  Internet 
-  security  to  computer  system  administrators,  network  managers,  and  others 
S'  in  the  Internet  community.  When  the  CERT/CC  receives  a  report  about  a 
^  potential  vulnerability,  staff  experts  analyze  the  vulnerability,  working  with 
ro  technology  producers,  vendors,  and  Internet-security  experts.  Staff  members 
^  advise  technology  producers  and  vendors  of  security  deficiencies  in  their 
g-  products,  help  them  to  resolve  the  problems,  and  facilitate  the  distribution  of 
"g  corrections  to  other  response  teams  and  to  the  Internet  community  at  large. 
Q  The  CERT/CC  is  a  founding  member  of  the  Forum  of  Incident  Response 
^  and  Security  Teams  (FIRST).  CERT/CC  regularly  participates  in  FIRST  activi- 
t!  ties,  including  conferences  and  technical  colloquia.  Currently,  more  than 
g-  no  teams  belong  to  FIRST." 

ZZ 

on 

One  way  in  which  CERT/CC  staff  members  respond  to  security  problems 
is  by  publishing  advisories,  incident  notes,  and  vulnerability  notes 
on  the  CERT/CC  Web  site.'"  Advisories  are  prepared  in  response  to  the  most 
severe  threats. 

Among  the  most  serious  intruder  activities  reported  to  the  CERT/CC  in 
FY2001  were  the  following: 


Security  Incidents  Rise 

During  the  2001  calendar  year,  the  CERT/CC 
received  118,907  email  messages  and 
more  than  1,400  hotline  calls  about 
security  information  or  computer- 
security  incidents. 


While  continuing  to  maintain  its  leadership  activities  in  responding  to 
and  analyzing  threats  and  vulnerabilities,  the  CERT/CC  is  also  active  in 
helping  others  establish  their  own  incident-response  capability.  The  SEI 
has  developed  and  offers  a  series  of  courses  for  security  incident-response 
team  managers  and  technical  staff.  These  courses  build  awareness  and 
understanding  of  the  management  and  technical  issues  that  must  be 
dealt  with  to  effectively  respond  to  computer-security  emergencies.  Other 
courses,  for  executives  and  for  system  administrators,  help  organizations 
protect  against  today's  threats,  mitigate  future  threats,  and  improve  the 
overall  security  of  their  networked  systems. 


SEI  Technical  Initiatives 


The  SEI  is  improving  practices  for  survivable  enterprise  man¬ 
agement.  CERT/CC  security  practices  enable  experienced  network 
administrators  to  protect  systems  and  information  against  both 
malicious  and  inadvertent  compromises.  The  SEI  seeks  to  establish 
the  routine,  institutionalized  use  of  these  practices. 

Another  major  accomplishment  of  fyzooi  was  development  of  the 
Operationally  Critical  Threat,  Asset,  and  Vulnerability  Evaluations'^ 
(OCTAVES”)  method,  an  approach  for  self-directed  risk  evaluations 
that  are  tied  to  an  organization's  overall  mission.  The  OCTAVE  method 
balances  critical  information  assets,  business  needs,  threats,  and  vulner¬ 
abilities,  and  measures  the  organization  against  known  or  accepted 
good  security  practices. 

The  OCTAVE  method  helps  organizations  to 

■  identify  and  manage  enterprise-wide  information-security  risks 

■  develop  appropriate  protection  strategies  by  considering  policy, 
management,  administrative,  technological,  and  other  issues  to 
form  a  comprehensive  view  of  the  security  state  of  an  organization 

■  establish  an  internal  interdisciplinary  team  that  can  perform 
information-security  assessments  and  act  as  a  focal  point  for 
security-improvement  efforts 

■  improve  effectiveness  at  communicating  business  and  security 
needs  internally  and  externally 

■  manage  the  impact  of  security  and  data-privacy  regulations,  such 
as  the  Health  Insurance  Portability  and  Accountability  Act  (HIPAA) 
and  Gramm-Leach-Bliley  regulations.  The  DoD  is  planning  to  use 
the  OCTAVE  method  as  the  center  of  its  strategy  for  complying  with 
the  HIPAA  data-security  requirements.  DoD  teams  chartered  to 
use  the  OCTAVE  method  will  be  using  it  at  all  medical  treatment 
facilities  and  will  be  collaborating  with  the  SEI  in  planning  future 
transition  activities. 

The  OCTAVE  method"'  for  large  organizations  is  currently  available,  and 
a  method  for  small  organizations  is  under  development. 


Above: 

CERT/CC  Featured  in  IAnewsletter 

The  CERT/CC  is  featured  on  the  cover  of 
the  Summer 2001  (volume  u,  numbers) 
issue  0/ IAnewsletter,  the  newsletter  for 
information-assurance  professionals. 
IAnewsletter  is  published  quarterly  by 
the  Information  Assurance  Technology 
Analysis  Center  (lATAC).  The  lATAC  is  a 
DoD-sponsored  Information  Analysis 
Center,  administratively  managed  by 
the  Defense  Technical  Information 
Center  (DTIC),  Defense  Information 
Systems  Agency  (DISA).  In  addition  to 
a  one-page  introductory  article  about 
the  CERT/CC,  the  issue  includes  articles 
by  CERT/CC  staff  members  on  recom¬ 
mended  network  and  security  practices, 
system  survivability  analysis,  and  the 
OCTAVE  method  for  evaluating 
information-security  risks. 


.  Carnegie  Mellon 

Software  Engineering  Institute 


CERT‘S  Coordination  Center 
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-5  The  SEI  has  also  developed  a  research  program  that  keeps  pace  with  evolving 
g  information-system  technology,  threats,  and  vulnerabilities.  Focused  on 
S  system  survivability  (the  ability  of  a  system  to  provide  essential  services 
in  the  presence  of  attacks,  accidents,  and  failures)  and  critical-infrastruc¬ 
ture  protection,  the  SEI  work  is  aimed  at  developers  and  acquirers  of 
systems  as  well  as  at  system  operators. 

Developers  and  acquirers  need  to  understand  the  importance  of  building 
security  and  survivability  into  systems,  rather  than  trying  to  add  it  after  the 
systems  are  installed.  The  SEI's  Survivable  Systems  Analysis  method  helps 
system  architects  and  designers  systematically  assess  the  survivability 
properties  of  proposed  systems,  existing  systems,  and  planned  modifi¬ 
cations  to  existing  systems. 

The  Emergent  Algorithm  project  is  developing  a  powerful  system-modeling, 
simulation,  and  analysis  tool,  called  Easel,  that  enables  developers  and 
researchers  to  uncover  interactions  in  complex  systems.  Easel  can  be 
used  to  determine  the  effects  of  specific  cyber  attacks,  accidents,  and 
failures  on  large-scale  systems  of  systems  before  development.  It  allows 
"what-if"  scenarios  and  provides  information  that  can  be  used  for 
contingency  planning. 


Left: 

CERT/CC's  Tom  Longstaff  Featured 
in  TIME  Digital 

In  its  November  2000  /ssue,''TIME 
Digital  magazine  cantains  a  feature 
titled  "The  Digital  Dazen"  about  12 
"movers  and  shakers  far  2001."  One  af 
the  12  people  featured  is  Tam  Longstaff, 
manager  of  research  and  development 
for  the  CERT/CC. 

Photo:  Patrick  Harbron/TimePix 


Defects /KLOC 
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The  SEI  is  leading  the  way  in  helping  software  organizations  to 
IMPROVE  product  quality,  lower  costs,  enhance  planning  accuracy,  reduce 
cycle  times,  and  increase  productivity.  Often,  the  SEI's  Team  Software 
Process^*^  (TSP^^)  is  the  reason  for  these  improvements. 

Effective  teamwork  is  essential  for  most  software 
projects.  The  TSP  has  brought  outstanding  results 
for  both  DoD  and  commercial  organizations  by 
providing  a  defined  and  measured  framework 
for  managing,  tracking,  and  reporting  on  a  software  team's  work.  In 
these  settings,  the  TSP  has  been  very  effective  because  it  provides  the 
specific  steps  that  are  rarely  obvious  to  working  engineers 
and  managers. 

The  TSP  is  built  on  the  Personal  Software  Process^^  (PSP^^),  which  helps 
individual  engineers  to  improve  their  performances  and  has  been 
applied  to  teams  ranging  from  2  to  150  engineers.  The  PSP  provides  the 
foundation  for  building  high-performance  teams  of  professionals  who 
have  been  trained  to  plan  and  control  their  personal  work,  define  pro¬ 
cesses  that  best  suit  them,  and  consistently  produce  quality  products. 

The  TSP  has  been  widely  tested  with  both  commercial  and  military  projects 
and  shown  to  be  highly  effective  in  helping  software-intensive  teams 
deliver  quality  products  on  schedule  and  for  their  projected  costs.  Because 
of  its  emphasis  on  building  high-quality  teams  that  systematically  prevent 
defects  from  the  beginning  of  the  development  process,  the  TSP  has  been 
shown  to  sharply  reduce  the  total  cost  of  software  development  and 
acquisition.  For  example,  the  TSP  helped  Teradyne  save  $5.3  million  in 
the  first  two  years  after  TSP  was  introduced. 


Team  Software  Process 


Defects  Found  Before  and  After  Using  TSP 


Left: 

Defects  per  one  thousand  lines  of  code 
(Defects/ KLOC)  were  reduced  by  70%  to 
95%  at  four  organizations  representing 
28  projects  using  TSP. 


•Represents  post-release  data 


Organization 
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Schedule  Deviation 


The  TSP  also  provides  timely  and  precise  project  status  and  tracking 
information  to  management  and  acquisition  groups.  Organizations  such 
as  the  Boeing  Company,  Advanced  Information  Services,  Inc.  (AIS),  and 
Hill  Air  Force  Base  have  reported  dramatic  improvements  as  a  result  of 
applying  the  TSP. 

On  efforts  ranging  from  a  few  thousand  iines  of  code  up  to  100,000  lines 
of  code,  the  typical  TSP  project  benefits  are 

■  near-zero  defects  in  delivered  software  (product  quality  that  is  from  two 
to  ten  times  better  than  comparable  projects  in  the  same  organization) 

■  cost  and  schedule  performance  that  are  within  10%  of  planned  values 

■  reduced  test  costs  and  schedules  (five  to  ten  times;  from  months  to  days) 

A  TSP  team  was  launched  this  year  at  the  Naval  Air  Systems  Command 
^  (NAVAIR),  which  develops,  acquires,  and  supports  the  aircraft  and  related 
g"  systems  used  by  the  U.S.  Navy  and  Marine  Corps.  NAVAIR's  AV-8B  Software 
^  System  Engineering  Process  Group  (SSEPG)  has  committed  to  using  TSP  for 
^  organic  software  development  and  is  encouraging  its  suppliers  to  use  TSP. 
o  NAVAIR  management  has  stated  that  the  TSP  has  started  to  provide  a  strong 
^  foundation  to  better  support  the  way  the  organization  plans,  schedules, 
and  tracks  work.  Specifically,  NAVAIR  has  found  that  the  PSP  and  TSP 
provide  detailed,  working-level  data  that  allows  the  organization  to 
detect  and  solve  problems  much  earlier  than  before.  The  TSP  has  also 
helped  NAVAIR,  a  lower  maturity  organization,  to  become  better  acquainted 
with  the  Capability  Maturity  Model®  (CMM®)-Based  Assessment  for  Internal 
Process  Improvement  (CBA  IPI)  process  (see  page  22).  NAVAIR,  currently  a 
level  2  organization,  had  its  first  CBA  IPI  in  May  2001. 


V 


Above: 

Using  the  TSP,  fewer  defects  mean  lower 
costs  and  more  accurate  cost  estimates. 
The  first  figure  shows  the  range  of  error 
in  planned  versus  actual  project  costs 
at  four  organizations  representing  28 
projects.  The  second  figure  shows  the 
improvement  in  schedule  prediction. 

Of  these  28  projects,  13  used  TSP  and  15 
did  not. 


Support  for  Develope  s 
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TSP  team  members  stated  that  they  were  more  informed  and  better 
prepared  for  the  extensive  interviews  that  are  part  of  the  assessment 
process  due  to  their  TSP  training.  NAVAIR  management  is  hoping  to  use 
the  TSP  to  achieve  higher  maturity  levels  of  the  CMM  for  Software  (SW- 
CMM).  Many  TSP  activities  map  to  process  areas  of  the  SW-CMM,  making  it 
easier  and  faster  to  satisfy  maturity-level  requirements.  For  example,  the 
TSP  has  been  shown  to  help  organizations  achieve  maturity  level  4  in  just 
20  months,  compared  to  the  average  30  it  takes  without  TSP. 

The  SEI  is  helping  Electronic  Brokering  Services  (EBS),  a  worldwide  currency 
exchange  consortium  owned  by  13  banks,  to  revolutionize  its  software 
quality.  EBS  has  formed  10  TSP  teams,  and  senior  management  is  com¬ 
mitted  to  using  TSP/PSP  to  improve  quality  and  decrease  cycle  time.  The 
company's  TSP-guided  update  to  its  BrokerNet  system,  which  handles 
between  $80  billion  and  $100  billion  in  trades  a  day,  was  delivered  with 
one-third  fewer  defects  and  completed  final  testing  on  schedule  in  only 
eight  weeks  (nearly  half  the  time  it  took  to  test  version  1).  For  a  system 
of  100,000  lines  of  code  that  took  a  year  to  develop,  this  is  remarkable.  The 
BrokerNet  system  has  now  been  installed  and  used  in  more  than  a  dozen 
international  banks  since  August  2000  with  no  reported  problems. 


Three  books’"  about  PSP  and  TSP  written 
by  Watts  S.  Humphrey  for  the  Addison- 
Wesley  SEI  Series  in  Software  Engineer¬ 
ing  are  supporting  broad  adoption  by 
incorporating  TSP  and  PSP  principles 
into  computing  curricula. 

A  Discipline  for  Software  Engineering: 
The  Complete  PSP  Book  is  being  used  at 
more  than  50  colleges  and  universities, 
including  Boston  University,  Embry- 
Riddle  Aeronautical  University,  the 
Naval  Postgraduate  School,  and  the 
University  of  Pennsylvania. 

Introduction  to  the  Personal  Software 
Process  is  being  used  at  more  than  80 
colleges  and  universities,  including  the 
College  of  William  and  Mary,  Illinois 
State  University,  Purdue  University, 
and  the  U.S.  Air  Force  Academy. 

Introduction  to  the  Team  Software 
Process  is  being  used  at  more  than  20 
colleges  and  universities,  including 
Carnegie  Mellon  University  and  the 
University  of  Maryland. 


TSP  Results  at  EBS 

■  Average  defect  fix  time  was  decreased  by  25% 

■  Test  defects  dropped  by  a  factor  of  2; 

QUALITY  OF  PRODUCT  ENTERING  INTEGRATION  AT  LEAST  DOUBLED, 
RESULTING  IN  AN  EXPECTED  INTEGRATION-PHASE  IMPROVEMENT  OF  50%. 

■  Test  phases  became  shorter  and  more  predictable. 

■  Higher  quality  coming  out  of  the  development  phase  led  to 

ALL  SUBSEQUENT  TEST  PHASES  COSTING  LESS. 

■  Analysis  indicated  at  least  30%  savings  attributed  to 

INCREASED  TIME  ON  TASK,  INCREASED  QUALITY,  AND 
INCREASED  PRODUCTIVITY. 
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As  Ahern,  Clouse,  and  Turner  wrote  in  their  book  CMMI  Distilled, 
which  was  published  as  part  of  the  Addison-Wesley  SEI  Series  in  Software 
Engineering  in  fy2001,  "if  imitation  is  a  measure  of  success,  then  the 
Capability  Maturity  Model®  for  Software  is  exceptionally  successful-and 
for  good  reason.  People  in  many  disciplines  were  attracted 
to  the  elegance  of  the  CMM®  concept  and  its  close  ties  to 
quality-management  theory  and  practice." 

First  released  in  1991,  the  Capability  Maturity  Model  for 
Software  (SW-CMM®)  provides  a  methodology  for  appraising 
the  maturity  of  an  organization's  software  processes  and  for  identifying 
the  practices  that  are  required  to  improve  those  processes.  Adopted  and 
successfully  used  by  more  than  5,000  organizations  worldwide,  the  SW- 
CMM  has  become  the  de  facto  standard  for  appraising  and  improving 
software  processes. 


^  Capability  Maturity 

Model  Integration 


Better  products  through 
Process  improvement 


Because  of  its  proven  utility,  the  CMM  methodology  has  been  applied  to 
other  disciplines,  resulting  in  additional  models.  As  a  result,  organizations 
undergoing  process  improvement  efforts  often  encountered  the  problem 
of  deciding  which  model  to  choose,  how  to  appraise  against  it,  or  how  to 
interpret  differences  in  terminology  or  guidance.  The  Capability  Maturity 
Model  Integration  (CMMI^'^)  project  integrates  several  of  these  models  and 
appraisal  methods  into  a  more  general  framework  to  support  enterprise¬ 
wide  improvement. 
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Questionnaire  developed  by  team 
with  members  from  the  SEI,  Air  Force, 
and  MITRE  Corp.  to  help  analyze 
software  processes,  following 
Philip  Crosby's  maturity  framework 
- 1 - 
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Internal  assessments  at  IBM 
served  as  a  precursor  to 
Capability  Maturity  Models 


_ 1 _ 

First  Capability  Maturity 
Model  (CMM)  published 
as  a  technical  report 


_ 

Capability  Maturity  Model 
further  refined  and  published 
as  version  1.0  of  the  CMM 
for  Software  (SW-CMM) 


Book  on  the  software 
maturity  framework 
published 
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To  respond  to  the  challenges  and  opportunities  created  by  the  demand 
for  a  better  integration  of  models,  training,  and  appraisal  methods,  the 
Office  of  the  Under  Secretary  of  Defense  for  Acquisition  and  Technology 
initiated  the  CMMI  project,  which  is  co-sponsored  by  the  National  Defense 
Industrial  Association  Systems  Engineering  Committee.  Experts  from  a 
variety  of  backgrounds  and  organizations  were  asked  to  establish  a  frame¬ 
work  that  could  accommodate  and  integrate  current  and  future  models. 


Since  February  1998,  industry,  government,  and  the  SEI  have  been  working 
to  build  a  set  of  integrated  models  covering  three  disciplines:  software 
engineering,  systems  engineering,  and  integrated  product  and  process 
development.  In  December  2000,  version  1.02  of  the  Capability  Maturity 
Model-Integrated  for  Systems  Engineering/Software  Engineering  (CMMI- 
SE/SW)  and  the  Capability  Maturity  Model-Integrated  for  Systems  Engi¬ 
neering/Software  Engineering/Integrated  Product  and  Process  Develop¬ 
ment  (CMMI-SE/SW/IPPD)  were  released  for  use. 

Version  1.02  of  the  CMMI  Product  Suite'^  includes  CMMI  models,  assessment 
products  and  supporting  information,  and  CMMI  courses.  As  steward  of 
the  CMMI  Product  Suite,  the  SEI  collaborates  with  industry  and  government, 
under  the  direction  of  a  steering  group,  to  support  and  maintain 
the  CMMI  Product  Suite. 


The  SEI  also  supports  the  transition  of 

the  CMMI  Product  Suite  into  use  by 

■  providing  training  and  appraisals; 

■  licensing  training  and  appraisal 
products  to  others  for  their  delivery; 

■  training,  authorizing,  and  monitoring 
lead  appraisers; 

■  providing  instructor  training;  and 

■  providing  guidance  in  model 
interpretation  and  usage  of 
appraisal  methods. 


CMMI  version 
1.02  published 


1993  19 

leam  Sottware  Process^*^ 
developed  by  the  SEI 

2001 

95 
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1997  1999 
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1994 

1996  1998  2000 

Version  1.1  of  the  CMM 
for  Software  published 

Personal  Software  Process*  (PSP") 
developed  by  the  SEI  to  train  individual 
software  engineers  to  use  the  disciplined 
processes  that  are  necessary  for  organiza¬ 
tions  to  achieve  capability  maturity 

As  new  quality  standards  continue  to 
emerge,  such  as  EIA/IS731,  Capability 

Maturity  Model  Integration  (CMMI") 
project  initiated  by  the  DoD 

CMMI  version  1.1 
published 

New,  specialized  Capability  Maturity  Models 
published  by  the  SEI,  including  CMMs  for  software 
acquisition  (SA-CMM),  systems  engineering  (SE-CMM), 
integrated  product  development  (IPD-CMM), 
and  human  resources  management  (People  CMM) 
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During  the  next  few  years,  the  Capability  Maturity  Model  Integration 
project  will  focus  on  helping  organizations  transition  from  use  of  the 
SW-CMM  and  other  models  to  use  of  the  CMMI  Product  Suite. 

CMMI  Appraisal  and  Assessment 

Version  i.o  of  the  Standard  CMMI^"  Assessment  Method  for  Process 
Improvement  (SCAMPP*^)  method  description  was  published  and 
made  available  on  the  Web  in  October  2000.  The  SCAMPI  method  is 
a  benchmarking  tool  that  helps  an  organization  gain  insight  into  its 
process  area  capability  or  organizational  maturity  by  identifying  the 
strengths  and  weaknesses  of  its  current  processes  relative  to  one  or 
more  of  the  CMMI  models,  including  the  CMMI-SE/SW. 

Thirty-one  organizations'"  had  been  licensed  by  the  SEI  to  provide  SCAMPI 
assessment  services  as  of  September  2001.  One  hundred  one  people  took 
the  SCAMPI  Lead  Assessor  training  course  this  year  as  part  of  their  qualifi¬ 
cation  to  become  SCAMPI  Lead  Assessors. 


Capability  Maturity 
Modeling® 

A  Capability  Maturity  Model  (CMM) 
is  an  organized  collection  of  proven 
best  practices  for  project,  quality, 
and  process  management  for  use 
within  a  design-intensive  disci¬ 
pline  such  as  software  engineering 
or  systems  engineering.  A  CMM 
provides  an  organization  with  a 
roadmap  for  continuous  process 
improvement.  The  SEI's  support  of 
the  CMM  methodology  provides  for 
training  and  assessment,  so  that 
an  organization  can  establish  and 
track  its  progress  against  its 
process-improvement  goals. 

The  original  CMM  for  Software 
(SW-CMM)-the  first  CMM,  pub¬ 
lished  in  1991-was  based  on 
principles  of  managing  product 
quality  that  were  first  developed 
by  Walter  Shewhart  in  the  1930s 
and  expanded  and  successfully 
demonstrated  in  the  work  of  W. 
Edwards  Doming,  Joseph  Juran, 


and  Phillip  Crosby.  These  principles 
were  adapted  by  the  SEI's  Watts 
Humphrey  and  others  into  a  foun¬ 
dation  for  continuously  improving 
software-development  and 
maintenance  processes. 

The  SEI  has  also  helped  to  develop 
additional  CMMs  in  other  disci¬ 
plines,  including 

■  software  acquisition  (Software 
Acquisition  Capability  Maturity 
Model  [SA-CMM])" 

■  human  resources  and  organiza¬ 
tional  development  (People 
Capability  Maturity  Model 
[P-CMM])" 

■  systems  engineering  and  inte¬ 
grated  product  and  process 
development  (these  disciplines 
have  been  combined  with  the 
SW-CMM  in  the  new  models, 
the  CMMI-SE/SW/IPPD)'3 


To  date,  an  estimated  5,000 
organizations  worldwide  have 
invested  in  CMM-based  software 
process  improvement  in  some  form, 
and  some  2,000  have  undergone 
formal  assessments  to  determine 
where  they  fall  among  the  models' 
five  maturity  levels.  Initial  SEI 
data  showed  that  after  organiza¬ 
tions  implement  CMM-based 
improvement,  median  annual 
productivity  improves  by  35%, 
time  to  market  is  reduced  by  19% 
annually,  and  post-release  defects 
drop  by  39%  per  year.  The  median 
annual  cost  per  engineer  of 
software  process  improvement 
using  the  CMM  for  Software  was 
$1,375.  The  savings  to  organiza¬ 
tions  were  about  five  times  this 
amount. 

For  detailed  information  and  sources  regard¬ 
ing  return  on  investment  from  the  use  of 
Capability  Maturity  Models,  see  Benefits  of 
CMM- Based  Software  Process  Improvement: 
Initial  Results,  [MU/SEI-94-TR-013."* 
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CMM  Pioneer:  Watts  S.  Humphrey 

The  effort  to  create  the  original  concepts  of  the  SW-CMM 
was  led  by  SEI  Fellow  Watts  S.  Humphrey,  who  has  had  a 
profound  impact  on  the  field  of  software  engineering. 
In  February  2000,  a  new  software  institute  bearing  his 
name,  the  Watts  S.  Humphrey  Software  Quality  Institute,"^ 
was  inaugurated  in  Chennai,  India. 

The  March  i,  2000,  issue  of  Business  Week  published  a 
Newsmaker  Q&A  interview  with  Humphrey,  titled  "The 
Guru  of  Zero-Defect  Software  Speaks  Out.""'’  Business 
Week  refers  to  Humphrey  as  the  "Deming  of  Software," 
after  W.  Edwards  Deming,  the  influential  quality¬ 
manufacturing  theorist  and  author. 

Humphrey  was  also  chosen  as  one  of  the  top  10  people 
who  have  made  the  most  significant  contributions  to  the 
software  industry  by  the  managing  editor  of  CrossTalk 
magazine,  in  an  article  published  in  the  December 
1999  issue."" 


Below; 

One  organization  celebrates 
its  CMM  appraisal. 


Software  Process  Improvement 
Networks 

A  Software  Process  Improvement 
Network  (SPIN)""  is  a  regionally  defined 
group  of  software  engineering  pro¬ 
fessionals  interested  in  software 
process  improvement.  The  groups 
meet  regularly  to  share  improvement 
experiences,  listen  to  presentations, 
and  work  toward  solutions  to  common 
problems.  There  are  more  than  85 
SPINS  worldwide.  Most  SPINs  are  auto¬ 
nomous,  volunteer  organizations, 
though  the  SEI  coordinates  the  network 
of  SPINS.  The  SEI  provides  support  to 
Individuals  and  organizations  that 
wish  to  form  SPINs,  and  disseminates 
news  and  Information  about  meetings 
and  activities  to  existing  SPINs. 


Raytheon 

Software  CMM 

■  Lj»ve/  3  Rated  .  ^  '  “ 

10  Omr  .■'alls.  Cr  . 
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An  important  role  of  the  SEI  is  to  help  the  DoD  adopt  and  apply 
cutting-edge  commercial  software  development  practices.  One  such 
practice  is  the  use  of  a  product  line  approach  for  software.  Long  a 
standard  practice  in  traditional  manufacturing,  the  concept  of  product 
lines  is  relatively  new  to  the  software  industry. 

Organizations  developing  software-intensive  systems 
face  many  challenges,  such  as  long  development  cycles, 
low  return  on  software  investments,  and  difficulty  in 
software  system  integration.  A  product  line  approach 
to  software  can  overcome  these  challenges. 


Product  Line  Practice 


Software  Product  Line 

Vs6ft-,war\  Vpra-(,)d3kt\  VITnl 


n  :  a  set  of  products 
sharing  a  common, 
managed  set  of 
features  that  satisfy 
the  specific  needs  of 
a  particular  market 
segment  or  mission 
and  that  are  developed 
from  a  common  set 
of  core  assets  in  a 
prescribed  way 


Traditionally,  software-intensive  systems  have  been  acquired,  developed, 
tested,  and  maintained  as  separate  products,  even  if  these  systems 
have  a  significant  amount  of  common  functionality  and  code.  Such  an 
approach  wastes  technical  resources,  takes  longer,  and  costs  more  than 
necessary.  Using  a  product  line  approach,  each  product  is  formed  by 
taking  applicable  components  from  a  base  of  common  assets,  tailoring 
them  as  necessary  through  planned  variation  mechanisms,  adding  any 
new  components  that  may  be  necessary,  and  assembling  the  collection 
according  to  the  rules  of  a  common,  product-line-wide  architecture. 
Building  a  new  product  (system)  becomes  more  a  matter  of  assembly 
or  generation  than  creation,  of  integration  rather  than  programming. 

Organizations  of  all  types  and  sizes 
are  discovering  that  when  skillfully 
implemented,  a  product  line  strategy 
can  yield  enormous  gains  in  produc¬ 
tivity,  quality,  and  time  to  market. 

Making  the  move  to  product  lines, 
however,  is  both  a  business  and 
technical  decision  and  requires 
considerable  change  in  software 
engineering,  technical -management, 
and  organizational-management 
practices. 

The  SEI  Product  Line  Practice  Initiative  is  helping  DoD  organizations  adopt 
commercial  software  product  line  practices  to 

■  reduce  development  and  deployment  time 

■  control  costs 

■  improve  system  flexibility  and  functionality 


During  2001,  the  SEI  increased  its  efforts  to  demonstrate  the  value  of 
^  software  product  lines  to  the  DoD,  tailor  product  line  practices  to  acquisi- 
S"  tion  settings,  and  provide  materials  to  acquirers.  For  example,  the  SEI 
documented  its  collaboration  with  the  National  Reconnaissance  Organi- 
^  zation  (NRO)  on  its  Control  Channel  Toolkit  (CCT)  program,  which  resulted 
o  in  a  product  line  asset  base  for  ground-based  command  and  control  of 
satellite  systems.  The  first  government  user  of  CCT  product  line  assets  has 
slashed  development  time  and  costs  by  50  percent  and  reduced  defect 
reports  by  an  order  of  magnitude  compared  to  similar  efforts  without 
an  asset  base. 


V 


Support  fo  Deve  opers  Resea  ch 
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CCT  product  line  assets  are  also  being  used  by  other  government  programs 
and  are  the  basis  for  a  reference  architecture  for  satellite  systems  and  a 
commercial  ground-based  command-and-control  product  line.  For  more 
information,  see  Control  Channel  Toolkit:  A  Software  Product  Line  Case  Study?'^ 


Below: 

Ground-based  satellite  systems: 
fertile  area  for  software  product  lines 


In  FY2001,  the  SEI  developed  a  business  case  for  applying 
software  product  line  practices  across  the  NRO.  The 
business  case  was  presented  to  the  NRO's  Acquisition 
Steering  Group,  which  in  turn  charged  the  SEI  NRO 
team  to  develop  an  adoption  plan  that  identifies 
specific  ways  to  realize  strategic  reuse  across  the 
organization. 

In  1999,  the  SEI  first  developed  an  online  information 
resource,  A  Framework  for  Software  Product  Line 
Practice  (PLP  Framework).^"  It  describes  the  manage¬ 
ment  and  technical  practices  whose  mastery  and 
application  are  necessary  for  success  with  product  lines. 

In  2001,  the  SEI  greatly  enriched  this 
conceptual  framework  and  developed 
methods  for  product  line  analysis, 
architecture  definition,  and  mining 
assets  to  assist  software  developers 
in  carrying  out  the  necessary  product 
line  practices.  This  work  is  document¬ 
ed  in  three  technical  publications: 

The  Architecture-Based  Design  Method]^ 

Options  Analysis  for  Reengineering 
(OAR):  A  Method  for  Mining  Legacy 
Assets]^^  and  Product  Line  Analysis: 

A  Practical  Introduction^^ 


The  SEI  has  spent  more  than  three  years  developing 
THE  PLP  Framework  from  a  combination  of  in-depth 
STUDIES  OF  ORGANIZATIONS  THAT  BUILD  PRODUCT  LINES; 
DIRECT  COLLABORATIONS  WITH  INDUSTRY  AND  DoD 
ORGANIZATIONS  ON  PRODUCT  LINE  EFFORTS;  AND 
WORKSHOPS  INVOLVING  PARTICIPANTS  FROM  THE  PRODUCT 
LINE  COMMERCIAL  LEADERS. 


To  assist  organizations  in  making  the  move  to  software  product  lines, 
the  SEI  developed  and  applied  the  Product  Line  Technical  Probe,  which 
can  be  used  to  diagnose  an  organization's  product  line  readiness. 

The  SEI's  2001  product  line  efforts  culminated  in  the  publication  of 
Software  Product  Lines:  Practices  and  Patterns.  This  book  incorporates 
the  latest  version  of  the  framework,  includes  multiple  product  line  case 
studies,  including  the  CCT  experience,  and  introduces  23  common  product 
line  problems  paired  with  concrete  solutions  in  the  form  of  reusable 
product  line  practice  patterns. 


Softw'arc 
Product  Lines 


and 

Patterns 


Paul  ('lements 
Linda  Northrop 
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Few  organizations  today  would  consider  building  a  system  entirely 
FROM  SCRATCH.  Use  of  Commercial  off-the-shelf  (COTS)  products  offers  the 
promise  of  faster  time  to  market  and  an  opportunity  to  take  advantage  of 
commercial  investments  in  technology  to  increase  the  functionality  and 
capability  of  the  system. 


But  the  promise  of  COTS  products  is  too  often 
not  realized  in  practice.  Many  organizations 
find  that  COTS-based  systems  are  difficult  and 
costly  to  build,  support,  and  maintain. 

Organizations  tend  either  to  assume  that  COTS  products  can  simply  be 
thrown  together  or  to  fall  back  on  the  traditional  development  skills  and 
processes  with  which  they  are  familiar-skills  and  processes  that  are 
ineffective  in  the  development  of  a  COTS-based  system. 

id  The  useful  life  of  a  legacy  system  can  often  be  extended,  with  enhanced 
^  capabilities,  by  replacing  aged  components  with  carefully  selected  COTS 
S'  components.  Successful  transition  from  the  legacy  system  requires  careful 
strategy.  During  January  through  September  2001,  the  SEI  performed  highly 
successful  work  in  this  area  for  the  Integrated  Logistics  System-Supply 
o  Program  Office  at  Gunter  Air  Force  Base.  Four  technical  notes/reports  were 
^  published,  addressing  analysis  of  alternatives,  system  modernization, 

^  componentization,  model  problems,  and  the  unintended  interaction  of 
various  commercial  technologies.  (See  below.) 

The  technical  analysis,  risk  identification,  and  risk  reduction  accomplished 
was  cited  by  the  program  office  as  likely  saving  years  in  the  development 
of  this  system.  This  work  will  help  organizations  to  analyze  legacy  systems 
and  identify  opportunities  for  potential  COTS  upgrades. 

CURE 

The  importance  of  managing  risk  is  well  understood  in  the  software 
engineering  community.  DoD  directives  and  mandates,  such  as  DoD 
5000.1  and  5000. 2R,  specify  the  use  of  risk-reduction  activities.  And 
the  SEI's  Software  Risk  Evaluation  (SRE)  has  been  a  significant  part  of 
acquisition  for  several  years. 


COTS- Based  Systems 

V _ _ _ J 


Technical  Publications 


■  Maintaining  Transactionai  Context: 
A  Modei  Problem,  Dan  Plakosh, 
Santiago  Comella-Dorda,  Grace 
Lewis,  Patrick  Place,  Robert  Seacord 
(CMU/SE|-2001-TR-012)35 

■  Incremental  Modernization  for 
Legacy  Systems,  Santiago 
Comella-Dorda,  Grace  Lewis, 
Patrick  Place,  Dan  Plakosh,  Robert 
Seacord  (CMLI/SEI-2001-TN-oo6)3‘ 


■  Legacy  System  Modernization 
Strategies,  Robert  Seacord, 
Santiago  Comella-Dorda,  Grace 
Lewis,  Patrick  Place,  Dan  Plakosh 
(CMU/SEI-2001-TR-025)3’ 

■  An  Enterprise  Information  System 
Data  Architecture  Guide,  Grace 
Lewis,  Santiago  Comella-Dorda, 
Patrick  Place,  Daniel  Plakosh, 

Robert  Seacord  (CMU/SEI-2001- 
TR-oi8)3“ 
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In  an  acquisition  that  will  include  extensive  use  of  COTS  products,  several 
problems  emerge  that  are  not  present  in  non-COTS-intensive  acquisitions. 
For  example,  the  requirements  process  must  become  more  flexible,  yielding 
to  the  realities  of  commercial  products,  such  as  the  inability  to  control 
when  products  are  released,  their  features,  and  their  ability  to  interface 
with  other  products.  Such  problems  contribute  to  a  program  manager's 
loss  of  control,  and  hence,  create  added  risk. 


To  help  manage  these  risks,  the  SEI  developed  a  COTS 
Usage  Risk  Evaluation  (CURE).^^  This  two-day  "assess¬ 
ment"  makes  use  of  lessons  learned  from  previously 
troubled  programs.  A  CURE  involves  site  visits  by  SEI 
personnel  to  the  program  office  and  contractor  for  COTS- 
based  acquisitions.  Structured  question-and-answer 
sessions  are  used  to  uncover  potential  risks  in  the 
acquisition.  Risks  are  identified,  and  strategies  for 
mitigating  these  risks  are  provided  in  a  final  report. 

This  year  an  updated  version  of  the  CURE  method 
was  completed  and  utilized  for  two  programs. 

COTS-Based  Systems  Courses 

The  SEI  supports  the  acquisition  community  with  two 
courses,  COTS-Based  Systems  for  Executives  and  COTS- 
Based  Systems  for  Program  Managers.  More  than  1,500  people  have 
attended  these  courses  over  the  past  two  years.  The  Defense  Systems 
Management  College  (DSMC)  has  worked  with  the  SEI  to  incorporate  a 
version  of  these  courses  into  its  curriculum. 

This  year,  the  SEI  completed  a  CD-ROM  version  of  the  COTS-Based  Systems 
for  Program  Managers  course. The  CD-ROM  includes  video,  audio  tran¬ 
scripts,  notes  for  the  student,  links  to  other  SEI  documents,  exercises 
to  assess  understanding,  and  an  email  query  capability. 

Also  this  year,  the  SEI  completed  and  delivered  a  COTS  Product 
Evaluation  Course. 


Fundamental  Change 


Traditional  Approach 

(Waterfall  Development) 


Required  COTS  Approach 


System 

Context 


Architecture 
and  Design 


Implementation 


Buy,  integrate,  co/itinuous/y  refresh 


Two  COTS-related  books  published  in  the  SEI  Series  in  Software  Engineering 


Building  Systems  from  Commercial  Components 

I  found  most  of  my  projects  are  more  or  less  con¬ 
cerned  about  system  integration  since  last  year, 
and  faund  some  difficulties.  Depending  on  the 
components  from  other  vendors  became  a  great 
challenge,  for  my  experience  i/i/os  mostly  based  on 
designing/implementing  components  from  scratch. 
This  boak  provides  a  new  point  of  view  to  look  at 
the  development  process.  The  authors  suggest 
how  designs  should  be  adapted  to  face  the  fact 
that  the  camponents  we  are  able  to  assemble  are 
in  control  of  others'  hands,  and  describe  several 
techniques  for  component-based  development... 

This  book  is  a  good  guide  for  the  managers  and 
developers  in  this  trend... I  believe  that  readers  will 
enjoy  the  in-depth  knowledge  the  authors  present  in 
this  book. 

Chen-Wei  Ho,  a  software  engineer  from  Taiwan. 
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Patricia  Ohcriutorl 

Managing  Software  Acquisition 
Open  Systems  and  COTS  Products 

A  current,  integrated  approach  to 
managing  acquisition  for  open, 
COTS-based  systems. 
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Program  managers  need  systems  that  can  perform  successfully 
UNDER  ADVERSE  ciRCUMSTANCES-for  example,  under  heavy  loads  or  in 
the  presence  of  subsystem  failures.  Yet  the  behavior  of  systems  under 
such  circumstances  is  often  less  than  acceptable.  The  critical  need  to 
manage  performance  is  obvious  in  real-time  systems 
(such  as  flight-control  software).  Likewise,  unexpected 
performance  problems  in  command-and-control  or  even 
management-information  systems  can  make  such  systems 
virtually  unusable  until  costly  repairs  are  undertaken. 


^  Performance-Critical 

Systems 


The  SEI  is  helping  both  the  government  and  its  contractors  to  apply 
effective  techniques  for  predicting  and  controlling  critical  aspects  of 
system  performance.  As  new  techniques  evolve  for  controlling  critical 
system  performance  properties,  the  SEI  is  bringing  the  best  of  these 
emerging  practices  into  use  on  DoD  systems. 

This  initiative  was  called  the  Dependable  Systems  Upgrade  (DSU)  Initiative 
until  recently.  Its  name  was  changed  in  FY2002  because  the  work  is  no 
longer  focused  exclusively  on  real-time  system  upgrades;  SEI  work 
in  performance-critical  systems  now  covers  many  types  of  systems. 
In  particular,  the  SEI  aims  to  increase  the  ability  of  DoD  acquisition 
organizations  to  specify  and  manage  the  performance  attributes  of 
software-intensive  systems  being  developed  by  external  organizations. 


> 
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Formal  methods  have  long  offered  the  promise  of  ensuring  high-quality 
software  using  mathematical  rigor.  Formal  methods  represent  a  clear 
attempt  to  address  such  concerns.  However,  applying  traditional  formal 
methods  to  a  complete  system  design  requires  a  significant  investment- 
from  learning  a  difficult  technology  to  applying  it  in  all  phases  of  the 
development  effort.  As  a  result,  there  have  been  relatively  few  success 
stories,  and  formal  methods  have  failed  to  achieve  widespread  adoption. 

The  SEI  has  leveraged  the  work  of  the  formal  methods  community  to 
develop  a  software  engineering  practice  known  as  model-based  verifica¬ 
tion  (MBV).  MBV  involves  the  selective  use  of  formal  methods  on  abstract 

models  of  important  portions  of  a 


The  SEI  is  helping  both  the  government  and  its 

CONTRACTORS  TO  APPLY  EFFECTIVE  TECHNIQUES  FOR 

predicting  and  controlling  critical  aspects  of 

SYSTEM  performance. 


system,  thereby  providing  many  of 
the  benefits  promised  by  formal 
methods  without  the  associated 
high  cost. 


In  developing  MBV,  the  SEI  has 

collaborated  with  the  Air  Force's  Computer  Resources  Support  Improve¬ 
ment  Program  (CRSIP),  the  National  Aeronautics  and  Space  Administra¬ 
tion  Independent  Verification  and  Validation  Facility  (NASA  IV&V),  and 
Embry-Riddle  Aeronautical  University. 


Support  for  Acquirers 


SEI  Technical  Initiatives 


In  testing  the  MBV  approach  for  the  CRSIP,  the  SEI  piloted  MBV  techniques 
against  the  Block  30  Upgrade  of  the  F16  aircraft.  This  upgrade  occurred  in 
1994,  and  extensive  defect  data  was  available.  Using  requirements  and 
specification  documents  from  1994,  the  SEI  applied  MBV  techniques,  finding 
a  number  of  previously  known  and  some  new  defects.  The  newly  found 
defects  were  judged  to  reflect  marginal  deficiencies  in  the  documenta¬ 
tion  that  would  not  have  misled  a  knowledgeable  engineer;  the  previ¬ 
ously  known  defects  were  also  not  serious,  but  had  necessitated  changes 
in  the  documentation.  Finding  these  defects  earlier  could  have  led  to 
reduced  rework  costs. 


The  SEI  piloted  MBV  techniques 
for  the  NASA  IV&V  center  against  a 
power  distribution  system  designed 
for  the  (now-defunct)  X-33  space¬ 
craft.  As  with  the  F16,  the  SEI  found 
several  defects  of  note. 


The  SEI  aims  to  increase  the  ability  of  DoD  acquisition 

ORGANIZATIONS  TO  SPECIFY  AND  MANAGE  THE  PERFOR¬ 
MANCE  ATTRIBUTES  OF  SOFTWARE-INTENSIVE  SYSTEMS 
BEING  DEVELOPED  BY  EXTERNAL  ORGANIZATIONS. 


The  SEI  has  provided  support  to  several  acquisition  programs,  including 
the  Joint  Mission  Planning  System,  the  21st  Century  Land  Attack  Destroyer 
(DD21),  the  Ship  Self-Defense  System,  the  Program  Executive  Office  (PEO) 
Sub,  and  the  Coast  Guard's  Deepwater  program.  For  example,  the  SEI 
assisted  the  DD21  program  office  in  preparing  request-for-proposal  lan¬ 
guage  and  evaluation  criteria  for  the  system  architecture,  with  emphasis  on 
the  real-time  and  fault-tolerant  attributes  of  the  system.  In  collaboration 
with  DD21  and  the  University  of  Illinois  at  Urbana-Champaign  Multi- 
University  Research  Initiative,  the  SEI  is  helping  to  develop  a  model  real¬ 
time  problem  based  on  the  DD21  radar's  real-time  scheduling  concerns, 
thereby  potentially  bringing  leading-edge  research  to  bear  on  a  DD21 
technical  issue.  For  the  Coast  Guard's  Deepwater  program  office,  the  SEI 
produced  a  document  giving  an  overview  of  dependability  and  reliability 
issues  in  software-based  systems. 


Technical  Publications 


The  SEI  has  published  four  technical 
notes  based  on  its  work  in  MBV,  each 
examining  a  different  aspect  of  MBV 
for  the  practitioner  or  researcher. 
These  notes  are 

■  Model-Based  Verification:  Claim 
Creation  Guidelines,  Santiago 
Comella-Dorda,  David  Gluch, 

John  Hudak,  Grace  Lewis,  Chuck 
Weinstock  (CMU/SEI-200l-TN-0l8)'‘' 


■  Model-Based  Verification-Scope, 
Formaiism,  and  Perspective 
Guideiines,  David  Gluch,  Santiago 
Comella-Dorda,  John  Hudak, 

Grace  Lewis,  John  Walker,  Chuck 
Weinstock  (CMU/SEI-200l-TN-024)'‘" 


■  Modei-Based  Verification;  Analysis 
Guidelines,  Grace  Lewis,  Santiago 
Comella-Dorda,  David  Gluch,  John 
Hudak,  Chuck  Weinstock  (CMU/SEI- 
2001-TN-028)'‘5 


■  Model-Based  Verification: 

Guidelines  for  Generating  Expected 
Properties,  David  Gluch,  Santiago 
Comella-Dorda,  John  Hudak,  Grace 
Lewis,  Chuck  Weinstock  (CMU/SEI- 
2002-TN-003)'‘'‘ 

A  fifth  technical  note,  exploring  MBV 
and  abstraction  guidelines,  was 
published  in  early  2002. 
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SEI  Technical  Initiatives 


Developers  and  acquirers  of  complex  software  systems  need  their  systems 
to  be  modifiable  and  to  perform  well.  They  may  also  need  them  to  be 
secure,  interoperable,  portable,  and  reliable.  Quality  attributes  such  as 
these  depend  more  on  the  software  architecture  than  on  code-level 
practices  such  as  language  choice.  Moreover,  these 
qualities  do  not  exist  in  isolation.  Performance 
affects  modifiability;  interoperability  affects  security; 
and  everything  affects  cost. 


An  architecture  either  explicitly  or  implicitly  makes 
tradeoffs  among  these  qualities,  often  with  undesirable  consequences. 
The  SEI  has  developed  a  high-payoff  method  for  identifying  the  relation¬ 
ships  and  tradeoffs  among  such  quality  attributes.  The  Architecture 
Tradeoff  Analysis  Method^"  (ATAM^”)'*^  enables  software  developers  and 
acquirers  to  evaluate  an  architecture  for  required  quality  attributes  and 
business  goals  before  the  system  is  actually  developed.  Architectural 
decisions  are  difficult  and  expensive  to  change  later.  An  early  evaluation 
with  a  proven  method  makes  sense. 


Architecture 
Tradeoff  Analysis 


Software  Architecture 

Vs6ft-,war\  I'ar-lo-tek-charl 


n :  the  structure 
or  structures  of 
the  system,  which 
comprise  the  software 
components,  the 
externaiiy  visibie 
properties  of  these 
components,  and 
the  reiationships 
among  them 


g  The  SEI  has  been  developing  and  piloting  the  ATAM  and  associated 
g-  architecture  tradeoff  technology  for  several  years.  The  method  has  now 
g  stabilized,  and  the  SEI  is  in  the  initial  stages  of  packaging  the  method 
S  for  others  to  apply.  NASA  Goddard  and  Robert  Bosch  GmbH  have  already 
^  begun  to  adopt  the  ATAM  as  standard  practice.  To  facilitate  ATAM  adop¬ 
ts  tion,  an  ATAM  Evaluators  Training  course  has  been  developed  to  train  an 
g-  external  evaluation  team.  Evaluating  Software  Architectures:  Methods 
and  Case  Studies  (see  page  33),  published  this  year  in  the  SEI  Series  in 
Software  Engineering,  describes  systematic  methods  for  evaluating 
software  architecture,  with  an  emphasis  on  the  ATAM,  and  applies  them 
to  real-life  cases.  It  shows  how  such  evaluation  can  substantially  reduce 
risk  while  adding  remarkably  little  expense  and  time  to  the  development 
effort  (in  most  cases,  less  than  a  week).  Following  the  legacy  of  an  earlier 
book  in  the  SEI  Series,  Software  Architecture  in  Practice,  published  in 
January  1998  and  now  in  its  12th  printing,  the  architecture  evaluation 
book  promises  to  make  sound  architecture  practices  accessible  to  the 
entire  software  community. 

The  ATAM  requires  a  documented  architecture.  However,  there  are  also 
~  situations  in  which  only  conceptual  architecture  exists;  for  example, 
S’  when  competing  contractors  submit  conceptual  architectures  for  review. 

"f  To  provide  support  under  such  circumstances,  the  SEI  created  the  Quality 
^  Attribute  Workshop  (QAW).  In  a  QAW,  stakeholders  brainstorm  general 
o  usage  scenarios  to  determine  required  quality  attributes.  Using  this  infor- 
g-  mation,  they  can  set  priorities  among  the  attributes  and  make  tradeoffs 
among  the  attributes  and  the  architectural  decisions  that  support  them. 


Research 


SEI  Technical  Initiatives 


The  SEI  developed  and  piloted  this  concept  with  the  sponsorship  of  the 
U.S.  Coast  Guard's  Deepwater  Acquisition  Project.  The  goal  of  the  Deep¬ 
water  Project  is  to  create  a  system  of  systems,  using  commercial  and 
military  technologies  and  innovation  to  develop  a  completely  integrated, 
multi-mission,  and  highly  flexible  system  of  assets-including  cutters, 
patrol  boats,  and  short-,  medium-,  and  long-range  aircraft-atthe  lowest 
total  ownership  cost.  The  project  is  the  largest  and  most  comprehensive 
recapitalization  effort  in  Coast  Guard  history.  During  the  year,  SEI  team 
members  applied  the  QAW  on  three  contractor  systems  as  part  of  the 
Deepwater  Project. 

The  team  also  used  a  QAW  to  identify  architectural  risks  and  requirements 
on  the  NASA  Johnson  Space  Center's  Next  Generation  Communication 
Project.  Similarly,  Maxwell  Air  Force  Base  Gunter  Annex  asked  the  SEI  to 
apply  the  QAW  on  its  Integrated  Maintenance  Data  System. 

Architecture  analysis  methods  hold  great  potential  for  the  government 
acquisition  community.  In  2001,  the  SEI  demonstrated  that  potential. 
For  example,  an  ATAM  evaluation  was  performed  on  the  Joint  National 
Test  Facility's  (JNTF's)  Wargame  2000  architecture.  The  evaluation  uncov¬ 
ered  several  unknown  architectural  risks  and  areas  for  improvement.  The 
commander  of  the  JNTF  and  the  architect  of  Wargame  2000  both  praised 
the  method  and  the  evaluation  exercise  as  having  significant  results  both 
in  the  understanding  and  the  documentation  of  Wargame  2000.“^ 

The  SEI  is  also  pushing  the  research  community  with  its  new  Cost  Benefit 
Analysis  Method  (CBAM)  for  analyzing  the  costs,  benefits,  and  schedule 
implications  of  architectural  decisions'*'  and  the  attribute  model  theory 
that  underlies  the  ATAM."® 


Evaluating 

Software 

Arcliitectures 


Paul  (  Ic’incnts 
Rick  Kj/nun 


Mark  Klein 


Above: 

In  their  first  book,  Software 
Architecture  in  Practice,  [the  SEI] 
helped  me  match  my  experience  with 
theary.  Their  invaluable  appraaches 
and  case  studies  changed  my  practice 
and  the  way  I  praceed  ta  design 
systems  and  software  architectures. 
This  second  book. ..covers  what  I  will 
loak  at  before  I  feel  good  about  an 
architecture. 


-Bertrand  Salle,  lead  architect  with  a 
major  telecommunications  company 


Right: 

Raadmap  for  a 
Quality  Attribute 
Workshop. 
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Prioritized  scenarios  Refined  scenarios  Tradeoff  scenarios  Design  decisions 
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Architecture  requirements,  Quality  attributes,  taxonomies, 

documentation,  styles,  questions,  scenarios,... 

stakeholder  points  of  view, ... 
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SEI  Technical  Initiatives 


Software  organizations  generally  recognize  that  measurable  data 
ARE  REQUIRED  for  informed  decision  making.  However,  their  attempts  to 
collect  and  analyze  useful  information  often  fall  short  of  expectations. 
The  SEI  provides  guidance  and  techniques  in  software  engineering 
measurement  and  analysis  by  showing  an  organization  how  to  develop 
and  analyze  software  measures  that  are  tied 
to  the  organization's  unique  business  goals. 
Organizations  that  have  developed  basic 
measurement  capabilities  can  leverage  that 
investment  by  learning  to  better  analyze  the 
data  they  collect  and  make  more  informed 
business  decisions. 


Software  Engineering 

Measurement  and  Analysis 

V _ _ y 


Software  measurement-and-analysis  programs  help  organizations  to 
develop  useful  data  on  project  control,  organizational  performance, 
and  return  on  investment.  Measurement  activities  enable  organizations 
to  answer  questions  such  as 

■  How  well  are  we  meeting  schedules  and  budgets? 

■  Has  our  performance  really  improved? 

■  What  software  practices  and/or  technologies  should  our  organization 
invest  in  and  what  yields  can  we  expect  from  this  investment? 

■  How  does  my  organization's  performance  compare  to  other 
organizations'  performances? 


The  SEI  Software 
Engineering 
Measurement 
AND  Analysis 
Initiative  helps 

ORGANIZATIONS  TO 


Identify  what  to 
measure 


Develop  operational 
definitions  for  the 
measures 

Define  analytical 
approaches 


Create  an  organiza¬ 
tional  infrastructure  to 
support  and  conduct 
software-measurement 
activities 


Without  measurement,  none  of  these  questions  can  be  accurately  answered. 
Measurement-and-analysis  techniques  allow  organizations  to  better 
manage  their  projects,  understand  their  own  capabilities  and  perfor¬ 
mances,  and  document  the  results  of  innovations  promising  improve¬ 
ment  in  software  development  and  maintenance. 

The  SEI  provides  basic  measurement  practices  as  well  as  leading-edge 
statistical  techniques  to  improve  an  organization's  software  project 
management  and  software  process  improvement.  These  techniques  can 
be  used  by  developers  to  manage  their  own  projects,  as  well  as  by  acquisi¬ 
tion  organizations  to  track  the  performance  of  a  contractor.  The  SEI 
coordinates  with  DoD  measurement  initiatives  to  keep  SEI  efforts  current 
and  in  the  forefront  of  measurement-and-analysis  development  efforts. 
These  collaborations  extend  to  the  Practical  Software  Measurement  (PSM) 
Project  and  measurement  offices  in  the  military  services,  as  well  as  to 
the  SEI's  own  Capability  Maturity  Model®  Integration  (CMMP")  development. 
Through  this  coordination,  the  SEI  can  disseminate  and  integrate  its  work 
with  that  of  other  leading  measurement  programs. 

^  The  exchange  of  best  practices  and  lessons  learned  is  at  the  heart  of 
3  the  SEI's  mission.  The  SEI  produces  two  online  resources  to  disseminate 
^  information  about  software  engineering  practices  and  technologies:  the 
■a  Software  Engineering  Information  Repository  (SEIR)  and  the  Software 
™  Technology  Review  (STR).  Software  professionals  can  support  their  acquisi- 
^  tion-and-development  efforts  by  utilizing  these  resources  for  detailed 

.g  information  on  a  variety  of  software  technologies. 

> 

QJ 

Q 

^  The  SEIR'*^  is  a  forum  for  software  engineers  in  the  field-from  govern- 
^  ment,  industry,  and  academia-to  exchange  lessons  learned,  pose 
D.  questions,  and  submit  materials  that  might  help  others  to  adopt 
^  improvement  approaches. 
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The  SEIR  provides  a  repository  of  information  showing  the  impact  of 
demonstrated  software  engineering  improvement  methods  on  organiza¬ 
tional  performance.  Since  its  launch  in  1998  with  104  users  and  minimal 
site  content,  the  SEIR  has  grown  to  become  one  of  the  most  frequently 
visited  areas  of  SEI-operated  Web  sites.  This  year  the  site  has  grown  to 
include  13,000  members,  representing  nearly  5,000  organizations  in  80 
countries,  and  it  includes  more  than  10,300  Web  pages  and  400  documents. 


One  component  of  the  SEIR  is  the 
Process  Appraisal  Information  System 
(PAIS).  The  PAIS  provides  the  findings 
and  data  to  support  the  publication 
of  the  "Process  Maturity  Profiles  of 

the  Software  Community. The  maturity  profiles  provide  a  snapshot 
of  the  software  community  in  terms  of  its  software  process  maturity  and 
common  process  strengths  and  weaknesses.  They  are  based  on  results 
from  nearly  2,000  process  assessments  and  present  information  on 
organization  type,  size,  maturity,  and  other  factors.  According  to  SEI  Web 
statistics,  more  than  113,000  copies  of  the  recently  released  maturity 
profiles  were  downloaded  in  the  first  half  of  2001  alone. 


Process  Maturity  Profiles”  has  become  a 


BENCHMARK  FOR  ORGANIZATIONS  PURSUING 
SOFTWARE  PROCESS  IMPROVEMENT. 


The  STR5'  is  a  Web-based  resource  that  features  concise  and  informative 
summaries  of  current  and  emerging  software  technologies.  The  STR  supports 
the  SEI's  mission  to  share  and  disseminate  new  ideas,  lessons  learned, 
expertise,  and  best  practices  in  the  areas  of  software  engineering  for  the 
DoD.  As  a  reference  source,  the  STR's  primary  purpose  is  to  provide  the  DoD 
with  a  better  understanding  of  software  technologies  that  will  enable  it 
to  systematically  plan  for  the  upgrade  and  evolution  of  current  systems, 
as  well  as  the  development  of  new  systems.  In  addition,  the  STR  provides 
managers  and  engineers  in  the  acquisition  and  other  communities  with 
technical  descriptions  that  include  a  high-level  summary  of  a  software 
technology,  an  assessment  of  its  maturity,  usage  considerations,  costs 
and  limitations,  links  to  further  information,  and  other  valuable  data. 
The  STR  is  particularly  useful  for  those  building  or  maintaining  systems  in 
command,  control,  and  communications  applications,  as  well  as  automated 
information  systems. 


Right: 

In  FY2001,  the  STR  site  experienced 
nearly  2  million  page  hits,  i/i/os  viewed 
by  more  than  166,000  users  in  139 
countries,  and  had  more  than  18,000 
documents  downloaded. 


STR 
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SEI  Technical  Initiatives 


For  many  software-intensive  organizations,  technology  transition- 

the  process  of  facilitating  the  acceptance  and  use  of  a  new  technology- 
is  a  challenging  and  often  unpredictable  activity.  Software  developers, 
now  more  than  ever  recognizing  a  mission-critical  need  to  improve  their 
software  engineering  practices,  are  faced  with  a  continuous  spectrum  of 
adoption  challenges  as  they  seek  to  improve 
their  skills,  processes,  products,  and  capabilities. 
Researchers,  developing  software-improvement 
technologies  for  software  developers  or  acquirers, 
are  realizing  that  the  value  or  quality  of  their 
technologies  alone  does  not  ensure  their 
acceptance  and  use. 


Accelerating  Software 

Technology  Adoption 

V _ _ _ y 


During  FY2001,  the  Defense  Model¬ 
ing  and  Simulation  Office  (DMSO), 
a  DoD  science  and  technology  (S&T) 
organization,  piloted  an  SEI  tran¬ 
sition-planning  approach  called 
Transplant.  With  the  SEI's  guidance, 
the  program  manager  and  deputy 
of  DMSO's  High  Level  Architecture 
(HLA)  created  the  first  of  the 
necessary  components  of  a  good 
transition  plan,  including 

■  articulation  of  goals  and  strategy 
to  meet  transition  needs 

■  a  description  of  target  adopters 
and  plans  for  how  and  when  to 
use  them  to  accelerate  the 
adoption 

■  specification  of  transition  mech¬ 
anisms,  risks,  and  initial  risk- 
mitigation  plans 

The  HLA  staff  is  working  with  these 
documents  to  guide  transition  for 
its  vendor  and  user  communities. 


The  SEI  is  developing  methods  to  help  those  responsible  for  technology 
transition-a  role  the  SEI  calls  "transition  agent"-to  be  able  to  answer 
these  questions: 

■  Is  the  technology  to  be  transitioned  ready  for  the  target  community 
or  organization? 

■  Is  the  target  community  or  organization  ready  to  adopt  the 
new  technology? 

Many  organizations  do  not  ask  these  questions,  do  not  know  how 
to  determine  an  answer,  or  do  not  know  what  to  do  next  when  the 
answer  is  "no." 

The  SEI  helps  organizations  plan  to  overcome  gaps  and,  ultimately, 
manage  the  transition  to  a  successful  completion.  The  SEI's  innovations 
are  helping  researchers,  developers,  and  acquirers  to  better  understand, 
evaluate,  plan,  and  manage  technology  transition. 

^  To  provide  a  means  of  evaluating  the  progress  of  an  ongoing  transition, 
^  the  SEI  introduced  the  Technology  Transition  Workshop  (TTW)  series  in 
S’  FY2001.  The  first  workshop  focused  on  Capability  Maturity  Model®  Integration 
T3  (CMMI^^,  see  page  22)  and  captured  the  mechanisms  that  organizations 
ro  conducting  pilot  adoptions  were  using  to  transition  to  the  CMMI  Product 
^  Suite,  as  well  as  what  is  still  needed  and  what  they  found  that  does  not 
o  work.  The  workshop  findings^"  were  disseminated  to  the  broader  CMMI 
^  adopter  population  through  the  CMMI  Technology  Conference  and  User 
Q  Group  held  in  Denver,  CO,  November  13-15. 
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The  SEI  Accelerating  Software  Technology 
Adoption  (ASTA)  Initiative  identifies,  develops, 

AND  PROMOTES  PRACTICES  THAT  RESULT  IN 
BETTER,  FASTER,  AND  CHEAPER  ADOPTION  OF 
SOFTWARE  ENGINEERING  TECHNOLOGIES. 

V _ 
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Sometimes  the  introduction  and  assimilation  of  a  new  technology 
requires  the  introduction  of  a  supporting  information  technology  (IT) 
package.  Unfortunately,  anecdotal  evidence  is  replete  with  examples 
of  failed  tool  adoption. 

The  SEI  has  developed  INTRo,  a  Web-based  adoption  management  guide 
for  selecting  and  rolling  out  IT  technologies  across  an  enterprise.  Using 
INTRo,  an  organization  can  introduce  new  software  tools  and  technologies 
by  following  a  series  of  structured  and  informative  process  steps,  tutori¬ 
als,  tips,  checklists,  and  sample  process  outputs.  The  model  emphasizes 
the  importance  of  sharing  information  and  disseminating  knowledge 
practices  throughout  an  organization  to  develop  more  lasting  and  complete 
business  solutions. 

The  SEI's  focus  on  technology  transition  is  expanding  into  other  areas 
of  need,  such  as  how  to  measure  the  fit  between  a  technology  and  its 
intended  targets,  and  howto  measure  the  progress  of  technology  adoption 
within  an  organization  or  community.  These  are  important  aspects  of 
preparing  for,  planning,  and  managing  a  successful  technology  transition. 


Sometimes  the  introduction  and  assimilation  of 

A  NEW  TECHNOLOGY  REQUIRES  THE  INTRODUCTION 
OF  A  SUPPORTING  INFORMATION  TECHNOLOGY 

PACKAGE.  Unfortunately,  anecdotal  evidence  is 

REPLETE  WITH  EXAMPLES  OF  FAILED  TOOL  ADOPTION. 


Right  and  below: 

Screen  shots  from  INTRo 
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2001  Special  Programs 


Defense  Strategic  Impact  Program 
Independent  Technical  Assessments 


Technology  Insertion,  Demonstration, 
AND  Evaluation  Program 


2001  Special  Programs 


Through  the  Defense  Strategic  Impact  Program  (DSIP),  the  SEI  seeks 
to  transition  SEI  technology  and  Improve  the  quality  of  SEI  engagements 
with  defense  organizations  by  supporting  the  goals  and  objectives  of  the 
defense  acquisition  community.  The  SEI  is  planning  and  working  to  create 
successful  long-term  engagements  with  the  Air  Force, 

Army,  and  Navy.  _ 


DSIP  work  is  planned  and  executed  to  provide  a  broad 
cross  section  of  defense  organizations  with  access  to  SEI 
courses,  workshops,  and  technology  to  improve  the 
software-acquisition  management  skills  of  members  of  ^ 
the  defense  acquisition  workforce.  The  SEI  provides  tech¬ 
nical  assessments  of  critical  defense  programs  to  assess  program 
status,  and  supports  efforts  by  systems  commanders,  program  execu¬ 
tive  officers,  and  program  managers  to  rapidly  transition  best  acquisition 
management  and  technical  practices  into  use.  The  SEI  also  supports 
defense  software-development  organizations  in  transitioning  best  SEI 
management  and  technical  practices  that  provide  software  engineering 
expertise  to  defense  program  offices. 


Defense  Strategic 
Impact  Program 


DSIP  activities  include 


■  education  and  training,  including 
courses,  workshops,  observations, 
and  coaching 

■  acquisition  pilots  with  selected 
defense  acquisition  programs. 

An  acquisition  pilot  is  an 
approach  for  maturing  and 
transitioning  improved  practices 

to  the  acquisition  community.  It  involves  the  trial  use  of  one  or  more 
acquisition-focused  products  and/or  services  from  the  SEI  in  support  of 
strategically  important  acquisition  programs.  The  goal  of  an  acquisition 
pilot  is  to  foster  widespread,  institutionalized  use  of  the  piloted 
practices  throughout  an  acquisition  organization. 

■  direct  technical  assistance  to  service  acquisition  executives,  program 
executive  officers,  and  program  managers 

■  placement  of  defense  resident  affiliates  (see  page  52),  either  full  or 
part  time,  at  the  SEI 

■  collaboration  with  transition  partners  to  leverage  the  transition  of 
SEI  technology  to  the  defense  acquisition  community 

In  2001,  the  SEI  established  project  work  statements  with  service 
acquisition  executives  (SAEs)  in  the  Air  Force,  Army,  and  Navy.  The  SEI 
defined  the  proposed  content  of  the  Air  Force  Strategic  Impact  Program, 
the  Army  Strategic  Impact  Program,  and  the  Navy  Strategic  Impact  Program 
and  presented  these  concepts  to  the  respective  SAEs  or  their  designated 
representatives. 


DSIP  WORK  IS  PLANNED  AND  EXECUTED  TO  PROVIDE 
A  BROAD  CROSS  SECTION  OF  DEFENSE  ORGANIZATIONS 
WITH  ACCESS  TO  SEI  COURSES,  WORKSHOPS,  AND 
TECHNOLOGY  TO  IMPROVE  THE  SOFTWARE- 
ACQUISITION  MANAGEMENT  SKILLS  OF  MEMBERS  OF 
THE  DEFENSE  ACQUISITION  WORKFORCE. 


Through  the  DSIP,  the  SEI 

■  transitions  SEI  technology  to 
improve  the  ability  of  defense 
acquisition  organizations  to 
acquire  near-defect-free 
software-intensive  systems 
on  time,  every  time; 

■  increases  awareness  of  SEI 
capabilities  and  technologies 
throughout  the  defense 
acquisition  community; 

■  seeks  strategic  advocacy  of 
senior  defense  leadership  to 
actively  endorse  adoption 
of  SEI  technology  by  defense 
acquisition  organizations;  and 

■  demonstrates  the  applicability 
and  relevance  of  SEI  technology 
to  systemic  problems  in  acquir¬ 
ing  software-intensive  systems. 
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Through  independent  technical  assessments  (ITAs),  SEI  teams 
UNCOVER  THE  ROOT  CAUSES  OF  PROBLEMS  affecting  DoD  Software- intensive 
programs  with  the  goal  of  providing  recommendations  that  maximize  a 
program's  strengths  and  minimize  and  mitigate  its  risks.  ITAs  are  objective, 
technical  evaluations  of  software-intensive  deveiopment  or  acquisition 
programs.  They  are  typicaiiy  initiated  by  the  system 
program  director,  program  executive  officer,  or  a  higher 
ievei  acquisition  official. 

ITA  teams  are  composed  of  SEI  staff  members  and  visiting 
scientists  with  an  appropriate  mix  of  expertise,  who 
conduct  a  series  of  interviews  with  program  stakehold¬ 
ers  and  ultimately  deliver  a  briefing  and  recommendations  to  the  party 
that  initiated  the  ITA. 

The  SEI  has  performed  many  ITAs  over  the  past  four  years  on  mission-critical 
systems  for  the  DoD  and  other  agencies.  Most  of  the  programs  evaluated 
have  been  U.S.  Air  Force  and  Navy  programs,  and  have  been  procurements 
of  software-intensive  systems  with  the  following  application-domain 
attributes: 

■  real-time  vehicle  electronics 

■  command,  control,  communications,  and  intelligence 

■  logistics  support 

■  electronics  testing  and  evaluation 

■  satellite  ground  control 


( 


i 


IV 


/\ 


Independent  Technical 
Assessments 

V _ L _ y 


2001  Special  Programs 


ITAs  conducted  in  2001  included 

■  an  assessment  of  technical  risks  to  the  Standard  Procurement  System 
(SPS),  which  included  proposed  mitigation  strategies.  The  SPS  is  an 
automated  information  system  that,  when  implemented,  will  support 
procurement  functions-from  the  receipt  of  requirements  until  contract 
closeout-at  all  DoD  procurement  organizations.  The  SPS  is  intended 
to  replace  76  automated  procurement  systems  and  additional  manual 
processes. 

■  an  assessment  of  key  strengths,  weaknesses,  and  risks  of  the  Air  Force's 
Military  Personnel  Data  System,  which  supports  all  personnel  manage¬ 
ment  functions,  from  recruiting  through  job  assignment,  and  ultimately 
separation  or  retirement. 

■  an  assessment  of  the  Space  Based  Infrared  Systems  (SBIRS).  In  conjunc¬ 
tion  with  the  Aerospace  Corp.,  SEI  staff  participated  on  the  independent 
review  team  that  evaluated  the  SBIRS  ground  segment  development, 
providing  expertise  in  software  engineering,  real-time  systems,  and 
systems/architectural  engineering  and  interoperability. 

■  an  objective  technical  and  programmatic  evaluation  of  the  Global 
Broadcast  System  program.  In  addition  to  SEI  staff  members,  the  ITA 
team  included  both  government  and  support  contractor  personnel, 
selected  by  the  Air  Force  acquisition  executive.  The  ITA  resulted  in 
recommendations  to  leverage  the  program's  strengths  and  minimize 
or  mitigate  its  risks. 

■  an  assessment  of  the  Joint  Mission  Planning  System  and  a  later  review 
of  the  program's  response  to  SEI  recommendations  as  a  result  of  the  ITA. 

■  a  two-day  "quick-look"  assessment  to  examine  software-related 
issues  on  the  Air  Force  Mission  Planning  System  program.  The  ITA 
included  interviews  with  Air  Force  Mission  Support  System  engineers 
and  management  staff,  engineers  from  the  Bz  and  B52  programs, 
and  engineers  from  Sun  Microsystems  and  Sybase. 

Based  on  its  experiences  with  ITAs,  the  SEI  published  a  technical  note  in 

2001,  Real-Time  Systems  Engineering:  Lessons  Learned  from  Independent 

Technical  Assessments  (CMU/SEI-200i-TN-004).=^ 


ITAs  ARE  OBJECTIVE, 
SOFTWARE- 1 NTENSIVE 
PROGRAMS. 


TECHNICAL  EVALUATIONS  OF 
DEVELOPMENT  OR  ACQUISITION 
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Like  other  sectors  within  the  U.S.  economy,  the  defense  manufac¬ 
turing  BASE  IS  EVOLVING.  Increasingly,  product  development  is  being 
outsourced  to  small  manufacturing  enterprises,  and  large  defense- 
contractor  organizations  are  becoming  integrators  of  supply  chains,  as 
opposed  to  manufacturers.  A  supply  chain  is  only  as  strong  as  its  weakest 
link.  As  the  defense  manufacturing  base  evolves,  these  links  will  be  crucial 
for  rapid  defense  response  to  future  events,  especially  regional  engagements. 


In  recent  years,  advances  in  software  technology  have 
initiated  dramatic  improvements  in  the  productivity 
of  the  U.S.  manufacturing  sector.  Small  manufacturers, 
however,  have  typically  been  reluctant  to  utilize  this 
new  technology  in  their  design  and  manufacturing 
activities,  even  though  easier-to-use,  less  costly 
software  tools  have  been  developed.  The  Technology 
Insertion,  Demonstration,  and  Evaluation  (TIDE) 
program, 5“*  initiated  at  the  SEI  in  May  2000,  seeks  to  improve  the  profit¬ 
ability  and  efficiency  of  small  manufacturers  by  helping  them  under¬ 
stand  the  business  and  technical  processes  of  selecting  and  integrating 
software  tools  for  application  to  small  manufacturing  enterprises. 


Technology  Insertion, 
Demonstration,  and 

Evaluation  Program 

V _ _ _ y 


The  TIDE  program  has  been  championed  and  supported  by  Congressman 
Mike  Doyle  (PA),  who  has  also  supported  collaborations  between  the 
DoD's  Manufacturing  Technology  Program  and  Department  of  Commerce 
manufacturing  initiatives.  In  the  TIDE  program,  small  manufacturers  apply 
advanced  software  engineering  technologies  to  their  business  problems. 
In  2001,  two  small  manufacturers  in  Southwestern  Pennsylvania-Carco 
Electronics  and  the  Kurt  J.  Lesker  Company-invested  time  and  engineering 
personnel  to  collaborate  with  the  SEI  on  projects  demonstrating  the 
business  benefits  and  process  of  adopting  advanced  technology  in  small¬ 
manufacturing  enterprises.  The  outcome  of  these  demonstration  projects 
will  be  a  toolkit  that  can  be  used  by  any  smaller  manufacturer  attempting 
to  establish  an  enhanced  engineering-and-design  capability,  to  move 
into  new  markets,  and  to  provide  more  value  to  customers  in  the  form 
of  more  technically  sophisticated  products.  Case  studies  generated  from  these 

demonstration  projects  will  provide  solid 
justification  to  investors  as  well  as  to 
risk-averse  owners  of  smaller  businesses 
that  insertion  of  commercially  available 
software  does  have  substantial  benefit. 
These  case  studies  and  other  lessons 
learned  from  the  demonstration  projects 
will  then  be  shared  in  forums  such  as 
workshops,  conferences,  and  curricula 
so  that  others  in  the  DoD  supply  chain 
can  take  advantage  of  this  work. 


Left: 

Congressman  Mike  Doyle  (PA),  with  SEI 
Director  and  CEO  Stephen  E.  Cross 


2001  Special  Programs 


Concurrently  with  the  TIDE  demonstration  projects,  the  SEI  has  initiated 
an  education-and-training  outreach  program  to  expand  technology 
adoption  throughout  the  Southwestern  Pennsylvania  manufacturing 
community.  The  workforce-development  part  of  the  TIDE  program  lever¬ 
ages  existing  SEI  assets  for  the  benefit  of  the  small-manufacturing 
community.  This  program  offers  scholarship  support  for  small-business 
personnel  to  attend  courses,  seminars,  and  workshops  in  leading-edge 
information  technology,  leading  to  increased  awareness  of  the  value 
of  and  return  on  investment  from  technology  adoption. 

Workforce-development  activities  in  2001  included 

■  cost-free  delivery  to  the  small-business  community  of  SEI  training 
courses  in  information-technology  topics 

■  development  of  a  half-day  workshop  on  technology  adoption  for 
small  manufacturers.  TIDE  program  funds  covered  the  development 
and  delivery  costs  of  this  workshop. 

■  development  of  a  version  of  the  SEI’s  OCTAVE^"  (Operationally  Critical 
Threat,  Asset,  and  Vulnerability  Evaluation^")  method  for  evaluating 
information-security  risks,  tailored  to  the  needs  of  small  manufactur¬ 
ing  enterprises 

The  TIDE  program  also  helped  to  sponsor  two  successful  and  well-attended 
regional  workforce-development  summits. 


At  this  workshop,  decision  makers 
from  smaii  manufacturing  enterprises 
iearned  about  TiDE  projects  that  dem¬ 
onstrated  the  benefits  of  appiying 
commerciaiiy  avaiiable  software  and 
information  technology. 
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The  SEI,  Its  People  and  Organization 


■  Board  of  Visitors 

■  Joint  Advisory  Council 

■  Director's  Office 


■  Management  Team 


The  SEI,  Its  People  and  Organization 


The  SEi's  Board  of  Visitors  was  estabiished  to  advise 
the  Carnegie  Melion  University  president  and  provost 
and  the  SEi  director  on  the  SEI’s  pians  and  operations. 

The  board  monitors  SEI  activities  and  provides  reports 
to  the  president  and  provost  on  the  state  of  the  SEI 
and  recommendations  for  improvement. 


Board  of  Visitors 

V _ y 


Christine  B.  Davis 

Chair 

Independent 

Consultant 

Former  Executive  Vice 
President,  Raytheon 
Systems  Company 


Gerald  P.  Dinneen 

Chair,  Policy  Division, 
National  Research 
Council 


Dave  McCurdy 

President,  Electronic 
Industries  Alliance 

Former  Member, 

U.S.  House  of 
Representatives 


Roger  Bate 

Chief  Architect,  CMM 
Integration™ 

Software  Engineering 
Institute  Fellow 

Former  Chief  Computer 
Scientist,  Texas 
Instruments 


Philip  L.  Dowd 

Senior  Vice  President, 
SunGard  Data  Systems 

Trustee,  Carnegie 
Mellon  University 


Alan  B.  Salisbury 

President, 
Learning  Tree 
International 


Barry  W.  Boehm 

TRW  Professor  of 

Software 

Engineering 

Computer  Science 
Department  Director, 
University  of  Southern 
California  Center  for 
Software  Engineering 


Paul  G.  Kaminski 

Chairman  and  Chief 
Executive  Officer, 
Technovation,  Inc. 

Former  Under 
Secretary  of  Defense 
for  Acquisition  and 
Technology 


Donald  E.  Stitzenberg 

Vice  President,  Global 
Supply  Chain,  Merial 
(a  division  of  Merck) 

Trustee,  Carnegie 
Mellon  University 


William  C.  Bowes 

Vice  President, 

Program  Management, 
Litton  Industries 


John  Major 

President  and  Chief 
Executive  Officer, 
Wireless  Knowledge 


Dennis  Yablonsky 

President  and  Chief 
Executive  Officer, 
Pittsburgh  Digital 
Greenhouse 
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The  SEI,  Its  People  and  Organization 


Joint  Advisory  Council 

V _ J 


The  Joint  Advisory  Councii  is  the  SEI's  "Board  of  Directors."  It  provides 
strategic  advice  to  the  SEi's  executive  agent  and  primary  sponsor. 

Such  advice  includes  review  of  the  SEI  strategic  plan  and  program  plan. 


Dr.  Charles  Holland,  Chair 

Acting  Deputy  Under  Secretary  of 
Defense  (Science  &  Technology) 

Dr.  Nancy  Spruill,  Vice  Chair 

Director,  Acquisition  Resources 
and  Analysis 

Office  of  the  Under  Secretary  of 
Defense  (Acquisition,  Technology, 
&  Logistics) 

Dr.  Jane  Alexander 

Deputy  Director 

Defense  Advanced  Research 
Projects  Agency  (DARPA) 

Dr.  Michael  Andrews  II 

Deputy  Assistant  Secretary  of  the 
Army  (Research  &  Technology) 

RADM  Jay  Cohen 

Chief  of  Naval  Research 

Office  of  Naval  Research 

represented  by 
Dr.  Andre  van  Tilborg 

Director  Mathematical,  Computer, 
&  Information  Sciences  Division 

Office  of  Naval  Research 


Dr.  Henry  Dubin 

Director  for  Assessment 
and  Evaluation 

Office  of  the  Assistant  Secretary 
of  the  Army  (Acquisition,  Logistics, 
&  Technology) 

Mr.  Blaise  Durante 

Deputy  Assistant  Secretary  of  the 
Air  Force  (Management  Policy  & 
Program  Integration) 

Dr.  Charles  Infosino 

Assistant  Director  of  Technology 
Ballistic  Missile  Defense  Organization 

Mr.  John  Landon 

Deputy  Assistant  Secretary 
of  Defense 

Command,  Control,  Communica¬ 
tions,  Computers,  Intelligence, 
Surveillance,  &  Reconnaissance 
and  Space  Command 

Dr.  Margaret  Myers 

Principal  Director 

Deputy  Assistant  Secretary 
of  Defense  (Deputy  Chief 
Information  Officer) 


Mr.  Michael  O'Driscoll 

Deputy  Chief  Engineer 

Office  of  the  Assistant  Secretary  of 
the  Navy  (Research,  Development, 
&  Acquisition) 

Dr.  Chuck  Perkins 

Deputy  Under  Secretary  of  Defense 
(Advanced  Systems  &  Concepts) 

Mr.  George  Schneiter 

Director,  Strategic  & 

Tactical  Systems 

Office  of  the  Under  Secretary  of 
Defense  (Acquisition,  Technology, 
&  Logistics) 

represented  by 
Dr.  Spiros  Pallas 

Principal  Deputy  to  the  Director, 
Strategic  &  Tactical  Systems 

Office  of  the  Under  Secretary  of 
Defense  (Acquisition,  Technology, 
&  Logistics) 

Dr.  Starnes  Walker 

Deputy  Director 

Defense  Threat  Reduction  Agency 


Dr.  Donald  Daniel 

Deputy  Assistant  Secretary  of 
the  Air  Force  (Science,  Technology, 
&  Engineering) 


The  SEI,  Its  People  and  Organization 


Director's  Office 
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Steven  K.  Huth 

Manager,  Information  Technology 

Thomas  C.  Brandt 

Director,  Program  Integration 
Directorate 


Richard  D.  Pethia 

Director,  Networked  Systems 
Survivability  Program 

Maureen  McFalls 

Director,  Government  Reiations 
Carnegie  Mellon  University 


Peter  J.  Menniti 

Manager,  Financial 
and  Business  Services 


Linda  M.  Northrop 

Director,  Product  Line 
Systems  Program 

William  C.  Peterson 

Director,  Software  Engineering 
Process  Management  Program 


John  T.  Foreman 

Director,  Dynamic  Systems  Program 

John  B.  Goodenough 

Chief  Technical  Officer 

Purvis  M.  Jackson 

Director,  Community  Sector 


SEI  Staff  Accomplishments 
AND  Transition  Activities 


■  Technical  Leadership  Positions 

■  Technical  Staff  Demographics 

■  Dissemination  Activities 

■  Transition  Partners 

■  Work  with  DoD  Software  Collaborators 


Technical  Leadership  Positions 


Journal  Editorships 

Bass,  L.  ■  Editor,  Universal  Access  in  the  Information 
Society,  Springer-Veriag. 

Cross,  S.  BAssociate  editor,  IEEE  Intelligent  Systems, 
Institute  of  Electrical  and  Electronics  Engineers  (IEEE). 

Humphrey,  W.  ■  Member,  editorial  board.  Empirical 
Software  Engineering,  Kluwer  Academic  Publishers 

■  member,  editorial  board,  Software  Process 
Improvement  and  Practice,  John  Wiley  &  Sons,  Ltd. 

Kazman,  F.  ■  Guest  editor,  International  Journal  of 
Software  Engineering  and  Knowledge  Engineering, 
issue  on  software  architecture,  August  2001. 

Kellner,  M.  ■  Member,  editorial  board.  Empirical  Soft¬ 
ware  Engineering,  Kluwer  Academic  Publishers; 

■  member,  editorial  board.  Software  Process 
Improvement  and  Practice,  John  Wiley  &  Sons,  Ltd. 

McGregor,  J.  ■  Guest  editor,  special  issue  of  IEEE  Soft¬ 
ware  on  initiating  software  product  lines,  Septem¬ 
ber  2002  ■  member,  editorial  board,  Journal  for 
Software  Testing  Professionals  (JSTP)  ■  member, 
editorial  board.  International  Journal  on  Computer 
Information  Systems  (IJCIS). 

Mead,  N.  m  Guest  editor,  IEEE  Software,  special  topic 
on  malicious  information  technology,  September 
/October  2000  ■  contributing  editor,  IEEE  Software 
m  member.  Industry  Advisory  Board,  IEEE  Software. 

Northrop,  L.  ■  Guest  editor,  special  issue  of  IEEE 
Software  on  initiating  software  product  lines, 
September  2002. 

Paulk,  M.  ■  Member,  editorial  board.  Software  Process 
Improvement  and  Practice,  John  Wiley  &  Sons,  Ltd. 

■  member,  editorial  board.  Software  Quality  Profess¬ 
ional,  American  Society  for  Quality. 

Smith,  D.  ■  Co-editor,  "Special  Issue  on  Program 
Comprehension,"  Science  of  Computer  Programming, 
July  2001,  Elsevier  Science. 

Weinstock,  C.  ■  Category  editor.  Computing  Reviews, 
Association  of  Computing  Machinery. 

Zubrow,  D.  BAssociate  editor,  Software  Quality,  news¬ 
letter  of  the  Software  Division  of  the  American  Society 
for  Quality  B  member,  editorial  board.  Software 
Quality  Professional,  American  Society  for  Quality 
B  guest  editor,  "Benchmarking  Software  Organiza¬ 
tions,"  IEEE  Software,  September/October  2001. 


Professional  Memberships 

SEI  technical  staff  members  are 
highly  respected  in  their  fields 
and  serve  In  various  ieadership 
positions  for  many  different 
organizations. 

Barbacci,  M.  b  Member,  Industrial  Advisory  Board 
overseeing  the  development  of  the  Software  Engin¬ 
eering  Body  of  Knowledge  b  co-chair,  IEEE  Computer 
Society  Latin  America  Initiative  B  member,  IEEE 
Technical  Activities  Board  Strategic  Planning  and 
Research  Committee  b  member.  Steering  Committee 
SEI/IEEE  Computer  Society  Information  Survivability 
Workshops  B  member.  International  Federation  for 
Information  Processing  (IFIP)  Working  Group  10.5, 
Design  and  Engineering  of  Electronic  Systems. 

Barbour,  R.  b  Vice  president  for  administration  for 
the  Project  Management  Institute  Risk  Management 
Special  Interest  Group. 

Bass,  L.  B  Member  NASA  Goddard  Space  Flight  Center 
Information  Sciences  and  Technology  Visiting  Com¬ 
mittee  B  Association  for  Computing  Machinery  (ACM) 
representative  to  the  IFIP  Technical  Committee  on 
Software:  Theory  and  Practice. 


Bate,  R.  ■  Member,  Capability  Maturity  Model*  Inte¬ 
gration  Steering  Group. 

Brownsword,  L.  B  Conference  chair.  First  International 
Conference  on  Commercial  Off-the-Shelf  (COTS)-Based 
Software  Systems. 

Carter,  L.  b  Commissioner,  Computing  Accreditation 
Commission/Accreditation  Board  for  Engineering  and 
Technology  (CAC/ABET). 

Chittister,  C.  b  Member,  Capability  Maturity  Model® 
Integration  Steering  Group. 

Clements,  P.  b  Co-chair,  Fourth  International  Workshop 
on  Architectures  for  Product  Lines,  2001  b  member. 
Program  Committee,  International  Workshop  on  Soft¬ 
ware  and  Performance,  Rome,  2002  ■  member. 
Tutorials  Committee,  International  Conference  on 
Software  Engineering  (ICSE),  2001,  2002  b  panels 
chair,  member  of  Program  Committee,  International 
Software  Product  Line  Conference  (SPLC),  2002  b  tutorials 
chair.  Working  IFIP/IEEE  Conference  on  Software 
Architecture  (WICSA),  2001,  2002  b  co-organizer, 
Workshop  on  Advanced  Separation  of  Concerns,  ICSE 
2001  B  member.  Program  Committee,  Workshop  on 
Product  Line  Engineering-The  Early  Steps:  Planning, 
Managing,  and  Modeling,  German  Conference  on 
Software  Engineering,  2002  b  member.  Program  Com¬ 
mittee,  International  Workshop  on  Product  Family 
Engineering,  2001  b  co-organizer,  Dagstuhl  Seminar 
on  Software  Product  Lines,  2001  b  member.  Program 
Committee,  International  Conference  on  Software 
Reuse  (ICSR7),  2002  b  member.  Program  Committee, 
International  Workshop  on  Reuse  Economics,  in 
conjunction  with  ICSR7,  2002  b  member.  Program 
Committee,  First  International  Conference  on  Aspect- 
Oriented  Software  Development  (AOSD),  2002  b  co- 
organizer,  Program  Committee,  Workshop  on  Aspect- 
Oriented  Software  Architecture  Design,  in  conjunction 
with  AOSD  2002  B  member.  Program  Committee, 
Workshop  on  Requirements  Engineering  for  Product 
Lines,  in  conjunction  with  Requirements  Engineering 
'02,  2002  B  member.  Program  Committee,  Argentine 
Symposium  on  Software  Engineering,  2002. 

Cross,  S.  B  Chair  emeritus.  Defense  Advanced  Research 
Projects  Agency  (DARPA)  Information  Science  and 
Technology  (ISAT)  panel  b  member.  Defense  Science 
Board  Task  Force  on  Defense  Software,  November 
2000  B  member,  editor-in-chief  search  committee, 
IEEE  Transactions  on  Software  Engineering  m  member, 
organizing  committee  for  DoD  Software  Engineering 
Science  &  Technology  Summit,  August  2001  b  panel 
member.  Air  Force  Acquisition  (AF/AQ)  Work  Culture 
Transformation  Board. 

Dailey,  E.  ■  Member,  National  Defense  Industrial 
Association  (NDIA)  Science  &  Engineering  Technology 
Advisory  Board. 

Feller,  P.  ■  Member,  Publicity  Conference  Subcom¬ 
mittee,  International  Conference  on  Software  Engin¬ 
eering  (ICSE)  2001  B  secretary  and  co-author,  draft 
standard.  Avionics  Architecture  Description  Language 
Subcommittee  Working  Group  (AS-5C),  Embedded 
Computing  Systems  Committee,  Aerospace  Avionic 
Systems  Division,  Society  of  Automotive  Engineers  (SAE). 

Ferguson,  J.  b  Member,  Selection  Committee,  and 
chair.  Office  of  the  Secretary  of  Defense-sponsored 
track.  Software  Technology  Conference  b  member. 
Selection  Committee,  Top  Five  U.S.  Government 
Quality  Software  Projects  b  head.  North  Atlantic 
Treaty  Organization  (NATO)  Ad  Hoc  Working  Panel 
on  Evaluation. 

Foreman,  J.  b  Co-organizer,  COTS-Based  Systems 
Workshop,  sponsored  by  the  University  of  Southern 
California  (USC),  the  SEI,  and  the  Center  for  Empirically 
Based  Software  Engineering  (CeBASE). 

Gallagher,  B.  b  Technical  program  chair.  First  Annual 
Capability  Maturity  Model  Integration  Technology 
Conference  and  User  Group. 

Goldenson,  D.  B  Coordinator,  international  trials 
for  ISO  15504  B  member.  Program  Committee,  IEEE 
Seventh  International  Software  Metrics  Symposium 
(Metrics  2001). 


Hayes,  W.  ■  Member,  Program  Committee,  IEEE  Eighth 
International  Symposium  on  Software  Metrics  (Metrics 
2002)  B  member,  U.S.  delegation,  IS0 15504. 

Hissam,  S.  b  Member,  Advisory  Committee,  Department 
of  Computer  Science  and  Electrical  Engineering,  West 
Virginia  University  b  program  co-chair,  2002  Inter¬ 
national  Conference  on  COTS-Based  Software  Systems 
(ICCBSS  2002)  B  co-organizer,  2nd  Workshop  on  Open 
Source  Software  Engineering,  2002  International 
Conference  on  Software  Engineering  (ICSE  2002). 

Humphrey,  W.  b  Member,  Industrial  Advisory  Board, 
Department  of  Computing  and  Mathematics,  Embry- 
Riddle  Aeronautical  University  b  member.  Review 
Committee,  Institute  of  Electrical  and  Electronics 
Engineers  Process  Achievement  Award. 

Jones,  L.  BVice  chair.  Computing  Accreditation  Com¬ 
mission/Accreditation  Board  for  Engineering  and 
Technology  (CAC/ABET). 

Kasunic,  M.  ■  Member,  Information  Technology  Inte¬ 
gration  Technical  Committee,  Systems,  Standards,  and 
Technology  Council  b  member.  Practical  Software  and 
Systems  Measurement  (PSM)  Technical  Steering  Group. 

Kazman,  F.  b  Program  co-chair.  Second  Working 
Institute  of  Electrical  and  Electronics  Engineers/ 
International  Federation  for  Information  Processing 
(lEEE/IFIP)  Conference  on  Software  Architecture 
(WICSA);  chair,  IFIP  Working  Group  2.7/13.4  b  program 
chair  and  member.  Steering  Committee,  Economics- 
Driven  Software  Engineering  Research  Workshop  at 
International  Conference  on  Software  Engineering, 
2002  B  member.  Program  Committee,  International 
Conference  on  Software  Maintenance  b  general  chair. 
Engineering  for  Human-Computer  Interaction  Confer¬ 
ence  ■  program  chair,  Dagstuhl  Seminar  on  Software 
Architecture  and  Modeling  b  member.  Program 
Committee,  Workshop  on  Reuse  Economics,  Inter¬ 
national  Conference  on  Software  Reuse  b  member. 
Software  Architecture  Review  and  Assessment 
International  Workshop  Group. 

Kitson,  D.  B  Co-editor,  ISO/IEC 15504-3  (Guidance  on 
Performing  an  Assessment)  b  team  lead,  ISO/IEC  15504 
U.S.  Technical  Advisory  Group  to  SC7  (the  committee 
responsible  for  software  and  systems  engineering 
standards)  b  head  of  U.S.  delegation  for  several  inter¬ 
national  meetings  on  15504. 

Klein,  M.  b  Member,  Second  Working  Institute  of 
Electrical  and  Electronics  Engineers/International 
Federation  for  Information  Processing  Conference  on 
Software  Architecture  (WICSA  2). 

Levine,  L.  BVice  chair.  International  Federation  for 
Information  Processing  (IFIP)  Working  Group  8.6  on 
Diffusion,  Transfer,  &  Implementation  of  Information 
Technology  b  member.  Program  Committee,  IFIP  8.6 
Working  Conference:  The  Adoption  and  Diffusion  of  IT 
in  an  Environment  of  Critical  Change,  Sydney,  Australia 
2002  B  member.  Program  Committee,  IFIP  WG  8.6 
Working  Conference:  Diffusing  Software  Process  & 
Product  Innovations,  Banff,  Canada,  2001. 

Little,  R.  B  Board  member.  Simulation  Interoperability 
Standards  Organization  (SISO)  b  technical  area  director. 
Federation  Execution  Development  Process  IEEE 
standard  development  effort  b  chair,  IEEE  standard 
1516.1  Working  Group  on  Distributed  Simulation  High 
Level  Architecture  b  core  member.  Defense  Modeling 
and  Simulation  Office  High  Level  Architecture  Technical 
Support  Team. 

Marz,  T.  ■  Member,  Common  Operating  Environment 
(COE)  Real  Time  Advisory  Group  (RTAG)  b  chair,  COE  RTAG 
Fault  Tolerance  Subgroup. 

Mead,  N.  b Tutorials  chair.  International  Symposium 
on  Requirements  Engineering,  August  2001  b  chair. 
Steering  Committee,  International  Conference  on 
Requirements  Engineering  b  chair.  Working  Group  on 
Software  Engineering  Education  b  member.  Advisory 
Committee,  Forum  for  the  Advancement  of  Software 
Engineering  Education  (FASE)  b  member.  Executive 
Committee,  Carnegie  Mellon  Master  of  Software 
Engineering  Program. 
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Meyers,  C.  ■  Chair,  IEEE  Standard  1003.21  Working 
Group  on  Real-Time  Distributed  Systems  Commun¬ 
ication  ■  member.  Executive  Committee,  IEEE  Portable 
Operating  System  Interface  (POSIX)  Sponsor  Executive 
Committee. 

Monarch,  I.  ■  Member,  Association  of  Information 
Systems  (AIS)  and  the  AIS  special  interest  group  for 
History  of  Information  Science. 

Mueller,  H.  ■  Conference  chair,  2001  International 
Conference  on  Software  Engineering  (ICSE  2001). 

Nord,  R.  ■  Member,  Program  Committee,  2002  Inter¬ 
national  Conference  on  Software  Engineering  (ICSE 
2002)  ■  member,  Program  Committee,  Second  Working 
Institute  of  Electrical  and  Electronics  Engineers/Inter¬ 
national  Federation  for  Information  Processing 
Conference  on  Software  Architecture  (WICSA  2). 

Northrop,  L.  ■  Chair-elect,  Steering  Committee,  Object- 
Oriented  Programming,  Systems,  Languages,  and 
Applications  (OOPSLA)  Conference  ■  co-chair.  Fourth 
International  Workshop  on  Product  Family  Engineering 

■  conference  chair,  OOPSLA  2001  ■  Industry  Track  co¬ 
chair,  2001  International  Conference  on  Software 
Engineering  (ICSE  2001)  ■  conference  chair.  Second 
Software  Product  Line  Conference  (SPLC2)  ■  organizer, 
SEI  Fifth  Product  Line  Practice  Workshop  ■  organizer, 
SEI  Fourth  DoD  Product  Line  Practice  Workshop  ■  2001 
Carnegie  Science  Center  (Pittsburgh,  PA)  Award  for 
Excellence  in  Information  Technology  ■  member. 
Program  Committee,  2002  European  Conference  on 
Object-Oriented  Programming  (ECOOP)  ■  co-organizer. 
Advanced  Separation  of  Concerns  workshop,  ICSE  2001. 

O'Brien,  L.  ■  Member,  2001  Program  Committee, 
Working  Conference  on  Reverse  Engineering  (WCRE) 

■  organizer.  Architecture  Reconstruction  and  Product 
Lines,  Working  Institute  of  Electrical  and  Electronics 
Engineers/International  Federation  for  Information 
Processing  (lEEE/IFIP)  Conference  on  Software  Archi¬ 
tecture  (WICSA),  2001. 


Oberndorf,  P.  ■  Co-organizer,  COTS-Based  Systems 
Workshop,  sponsored  by  the  University  of  Southern 
California  (USC),  the  SEI,  and  the  Center  for  Empirically- 
Based  Software  Engineering  (CeBASE)  ■  organizer. 
Software  Technology  Conference  (STC)  birds-of-a- 
feather  session  on  future  investigations  needed  for 
more  successful  pursuit  of  COTS-based  systems. 

Palmquist,  S.  ■  Principal  secretary,  American  Institute 
for  Aeronautics  and  Astronautics  (AIAA)  Information 
and  Command  and  Control  Systems  Technical  Com¬ 
mittee  ■  member,  AIAA  Corporate  Council. 

Paulk,  M.  ■  Member,  advisory  board,  Carnegie 
Mellon  University's  extended  Servicing  Capability 
Model  (eSCM)  project  ■  co-chair,  2001  High  Maturity 
Workshop  ■  judge,  best  paper/best  practices,  India 
Software  Engineering  Process  Group  (SEPG)  Conference 
■  reviewer,  IEEE  and  ISO  standards,  including  ISO 
9001  (Quality  Management  Systems),  ISO  9000-3 
(Software  Guideline  for  Quality  Management  Systems), 
ISO  12207  (Software  Life  Cycle  Processes),  ISO  15288 
(System  Life  Cycle  Processes),  and  IS0 15504  (Software 
Process  Assessment). 

Peterson,  W.  ■  Member,  Capability  Maturity  Model 
Integration  Steering  Group  ■  member,  Office  of  the 
Secretary  of  Defense  Integrated  Process  Team  (OSD  IPT) 
on  Equivalent  Methods  and  Tools  for  CMM  Maturity 
Level  3  ■  member,  OSD  IPT  on  Government  Assisted 
Appraisals  ■  member,  DoD  Common  Software 
Appraisal  Integrated  Process  Team. 

Phillips,  D.  ■  Member,  Capability  Maturity  Model 
Integration  Steering  Group. 

Ryan,  C.  ■  Member,  Boston  Software  Process  Improve¬ 
ment  Network  (SPIN)  Steering  Committee  ■  member, 
Office  of  the  Secretary  of  Defense  Integrated  Process 
Team  (OSD  IPT)  on  Equivalent  Methods  and  Tools  for 
CMM  Maturity  Level  3  ■  member,  OSD  IPT  on  Govern¬ 
ment  Assisted  Appraisals. 


Siviy,  J.  ■  Member,  International  Council  on  Systems 
Engineering  (INCOSE)  Measurement  Working  Group. 

Smith,  D.  ■  Chair,  Steering  Committee,  International 
Workshop  on  Computer-Aided  Software  Engineering 
(IWCASE)  ■  case  study  co-chair,  2001  International 
Conference  on  Software  Engineering  (ICSE  2001) 

■  member.  Program  Committee,  2001  Association 
for  Computing  Machinery  Special  Interest  Group  on 
Systems  Documentation  Conference  (SIGDOC  2001) 

■  member,  2001  Program  Committee,  Working  Con¬ 
ference  on  Reverse  Engineering  (WCRE). 

Wado,  J.  ■  Member,  IEEE  Nuclear  Power  Engineering 
Committee  (NPEC)b  member,  IEEE  NPEC  Subcommittee 
6  ■  member,  NPEC  Working  Group  6.4. 

Weinstock,  C.  ■  Member,  International  Federation  for 
Information  Processing  (IFIP)  Working  Group  10.4  on 
Dependable  Systems  and  Fault  Tolerance  ■  organizer, 
IFIP  Working  Group  10.4  Winter  2002  meeting  ■  pub¬ 
licity  chair,  2001  International  Conference  on  Depend¬ 
able  Systems  and  Networks  ■  member  and  local  co- 
arrangements  chair.  Organizing  Committee  for  the 
2002  International  Conference  on  Dependable  Systems 
and  Networks. 

Zubrow,  D.  ■  Member,  Data  Analysis  Center,  Soft¬ 
ware  Steering  Group  ■  member,  DoD  Measurement 
Initiatives  Working  Group  ■  reviewer,  National 
Science  Award  Grants  for  Ireland  ■  reviewer,  Wiley 
Encyclopedia  on  Software  Engineering  m  member. 
Program  Committee,  2001  Workshop  on  Software 
and  Performance  (WOSP  2001)  ■  member.  Program 
Committee,  IEEE  Seventh  International  Symposium  on 
Software  Metrics  (Metrics  2001)  ■  member.  Practical 
Software  and  Systems  Measurement  (PSM)  Technical 
Steering  Group. 


Technical  Staff  Demographics 

The  SEI's  most  valuable  resource  is  its  personnei.  SEI  staff  members 
include  members  of  the  technical  staff,  support  staff,  resident  affiliates, 
and  visiting  scientists. 

Resident  affiliates  are  personnel  from  industry  or  government  who  come 
to  the  SEI  as  members  of  the  technical  staff,  at  their  organizations'  own 
expenses,  to  work  at  the  SEI  for  one  to  two  years.  Visiting  scientists  are 
temporary  employees  from  industry,  academia,  or  government. 


Technical  staff  members  have,  on  average,  22  years  of  software  engineering 
experience.  Most  have  master's  degrees  or  greater. 

Education  Profile 


other,  7% 


Total  number  of  employees 

54 

0-10  years 

83 

11-20  years 

97 

21-30  years 

77 

31-40  years 

12 

41-50  years 

Years  of  Experience 


40+  yrs,  4% 


Previous  Affiliation 


New,  5% 


Dissemination  Activities 


A  primary  goal  of  the  SEI  is  to  expand  the  body  of  knowledge  of  the 
software  engineering  community.  The  SEI  pursues  this  goal  in  many 
ways,  such  as  publishing  research  reports,  writing  books  and  journal 
articles,  speaking  at  conferences,  and  providing  Congressional  testimony. 
The  institute  frequently  receives  acclaim  for  its  publishing  efforts 
(see  sidebar). 

The  SEI's  dissemination  activities  are  detailed  in  the  following  sections. 


Conferences  Presented  by 
the  SEI 


I  Excellent 
I  Veiy  good 


Software  Engineering  Process  Group  Conference 
The  Software  Engineering  Process  Group  Conference 
(SEPG)  is  the  premier  internationai  conference  and 
exhibit  showcase  for  process  professionais  who  cham¬ 
pion  the  systematic  improvement  of  people,  process, 
and  technology  at  their  organizations.  This  four-day 
event,  which  was  held  in  New  Orleans  in  February 
2001,  brought  together  international  representatives 
from  government,  industry,  and  academia  to  provide 
a  global  perspective  on  software  process  improvement 
results  and  activities,  such  as  building  quality  products 
on  cost  and  on  schedule,  and  establishing  and  main¬ 
taining  continuous  improvement  efforts. 

SEPG  2002  was  held  Feb.  18-21,  2002,  in  Phoenix,  AZ. 
SEPG  2003  will  be  held  Feb  24-27,  2003,  in  Boston,  MA. 


Above; 
Congressman 
John  P.  Murtha 
(PA)  spoke  at 
the  SEI  Software 
Engineering  Sym¬ 
posium  in  2000. 


More  than  half  of  all  attendees  at  SEPG 
2001  rated  the  conference  "excellent. " 


An  article  by  R.L.  Glass  and  T.Y.  Chen  in 
the  Journal  of  Systems  and  Software 
59  (2001)  rates  Carnegie  Mellon/SEI  the 
number  one  institution  for  publishing 
scholarly  articles  in  the  field  of  systems 
and  software  engineering.  This  is  the 
fourth  consecutive  year  that  Carnegie 
Mellon  has  achieved  this  rating, 
largely  on  the  strength  of  the  SEI's 
publishing  activities. 

"Carnegie  Mellon  University  (CMU) 
once  again  tops  the  list  this  year,"  the 
authors  write.  "CMU  passed  the  peren¬ 
nial  leader,  Bell  Labs  (Lucent)  three 
years  ago...CMU's  score  includes  that 
for  the  Software  Engineering  Institute, 
which  is  located  at  CMU  (that  is  not 
new  in  the  study  this  year,  but  it  does 
account  for  higher  scores  over  the  years 
than  would  have  been  achieved  by 
CMU  alone)."  The  article,  "An  Assess¬ 
ment  of  Systems  and  Software  Engin¬ 
eering  Scholars  and  Institutions  (1996- 
2000),"  is  the  eighth  in  an  annual 
series  in  the  journal.  It  includes 
five  years  of  data  and  is  based  on 
frequency  of  publication  in  the 
following  leading  Journals: 

■  Information  and  Software 
Technology 

m  Journal  of  Systems  and  Software 
m  Software  Practice  and  Experience 
m  Software  (IEEE) 

m  Transactions  on  Software  Engineer¬ 
ing  and  Methodologies  (ACM) 

m  Transactions  on  Software 
Engineering 


European  Software  Engineering  Process  Group 
Conference 

The  European  Software  Engineering  Process  Group 
Conference  (E-SEPG),  a  joint  initiative  between  the 
SEI  and  the  European  Software  Process  Improvement 
(ESPI)  Foundation,  brings  together  European  software 
process  improvement  practitioners  and  industry 
leaders  to  discuss  current  best  practice  and  industry 
results.  The  conference  provides  a  forum  in  which 
practitioners  can  share  experiences  with  their  peers 
in  Europe  regarding  productivity  gains  in  software 
development  through  the  adoption  of  software  process 
improvement.  It  provides  guidance,  inspiration,  and 
real-world  experience  reports,  demonstrating  current 
thinking  and  proven  techniques  for  improving  quality, 
productivity,  and  predictability  in  software  projects. 

The  sixth  annual  E-SEPG  was  held  June  11-14  in 
Amsterdam,  The  Netherlands,  and  drew  419  attendees 
from  31  countries  and  235  companies.  In  2000,  381 
people  attended  the  event. 

The  next  E-SEPG  conference  will  be  held  April  9-12, 
2002,  In  AmsterdamJ^ 


Software  Product  Line  Conference 
The  SEI  held  the  first  Software  Product  Line  Confer¬ 
ence  (SPLCi)  in  Denver,  CO,  the  week  of  Aug.  28-31. 
There  were  185  participants  from  North  America  (the 
United  States  and  Canada),  Europe  (eight  countries), 
Asia,  Africa,  and  Australia.  Most  attendees  came  from 
commercial  organizations,  but  academia  and  govern¬ 
ment  (especially  through  government  contractors) 
were  also  well  represented.  Corporations  recognized 
as  leaders  in  the  field  of  software  product  lines  were 
represented,  including  Hewlett-Packard,  Nokia,  Philips, 
Bosch,  Lucent,  Avaya,  Cummins  Engine,  Motorola, 
Ericsson,  Thomson,  and  General  Motors. 

The  conference  program  included  10  tutorials,  seven 
workshops,  a  keynote  presentation,  two  panels,  27 
technical  paper  presentations  (59  papers  were  sub¬ 
mitted),  and  an  event  called  the  "Software  Product 
Line  Hall  of  Fame,"  for  which  participants  nominated 
the  software  product  line  elite.  Inductees  were  A7 
Avionics,  CelsiusTech  SS2000,  Hewlett-Packard  Owen 
Printer  Product  Line,  and  Nokia  mobile  cell  phones. 

The  second  Software  Product  Line  Conference  (SPLC2) 
is  scheduled  for  Aug.  19-22,  2002,  in  San  Diego,  CA. 


I  Attendance 
I  New  Attendees 


2135 


2164 


Right: 

Attendance  at 
SEPG  has  contin¬ 
ued  to  climb  os 
more  and  more 
industry  leaders 
moke  0  commit¬ 
ment  to  process 
improvement. 
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SEI  Courses 


Through  course  offerings,  the  SEI  helps  to  bring  state-of-the-art  tech¬ 
nologies  and  practices  from  the  research  lab  into  widespread  use  by  the 
software  engineering  community.  The  following  are  courses  that  were 
taught  during  fy2001  at  the  SEI's  facilities  in  Pittsburgh,  PA,  and  Arlington, 
VA,  and  at  sites  in  Washington,  DC;  New  York,  NY;  New  Orleans,  LA;  San 
Francisco,  CA;  and  Denver,  CO.  The  number  of  offerings  is  indicated  in 
parentheses. 


Organizational 

Management 

Development 

Consulting  Skills 
Workshop  (i) 

Managing 
Technological 
Change  (i) 

Capability  Maturity 
Model  Integration 

Intermediate  Concepts 
of  Capability  Maturity 
Model  Integration 
(CMMI)  (4) 

Introduction  to 
Capability  Maturity 
Model-Integrated 
(CMMI)-Systems 
Engineering  and 
Software  Engineering, 
V1.0,  Continuous 
Representation  (2) 

Introduction  to 
Capability  Maturity 
Model-Integrated 
(CMMI)-Systems 
Engineering  and 
Software  Engineering, 
V1.0,  Staged 
Representation  (4) 

Standard  CMMI  Assess¬ 
ment  Method  for 
Process  Improvement 
(SCAMPI)  Lead  Assessor 
Training (2) 


Capability  Maturity 
Models 

Introduction  to  the 
Capability  Maturity 
Model  for  Software 
(SW-CMM)  (5) 

Introduction  to  the 
People  Capability 
Maturity  Model 
(P-CMM)  (1) 

Introduction  to  the 
Software  Acquisition 
Capability  Maturity 
Model  (SA-CMM)  (2) 

COTS-Based  Systems 

COTS-Based  Systems 
for  Executives  (1) 

COTS-Based  Systems  for 
Program  Managers  (i) 

Open  Systems  (1) 

COTS  Product 
Evaluation  (4) 


Software  Process 
Improvement 

Capability  Maturity 
Model-Based  Appraisal 
(CBA)  Lead  Assessor 
Training  (1) 

Continuous  Risk 
Management  (1) 


Defining  Software 
Processes  (1) 

High  Maturity 
Practices  of  Software 
Organizations  (1) 

Implementing  Goal- 
Driven  Software 
Measurement  (1) 

Introduction  to  Personal 
Software  Process  (1) 

Managing  Personal 
Software  Process  (PSP)- 
Trained  Engineers  (1) 

Managing  Software 
Projects  with  Metrics  (1) 

Mastering  Process 
Improvement  (i) 

Personal  Software 
Process  (PSP) for 
Engineers  I:  Planning  (1) 

Personal  Software 
Process  (PSP) for 
Engineers  II:  Quality  (1) 

Personal  Software 
Process  (PSP)  Instructor 
Training  (1) 

Software  Capability 
Evaluation  (SCE)  Lead 
Evaluator  Training  (1) 

Statistical  Process 
Control  (SPC)  for 
Software  (1) 


Team  Software  Process 
(TSP)  Launch  Coach 
Training  (1) 

Team  Software  Process 
Executive  Seminar  (1) 


Computer  and  Network 
Security 

Computer  Security 
Incident  Handling 
for  Technical  Staff 
(Advanced)  (1) 

Computer  Security 
Incident  Handling 
for  Technical  Staff 
(Introductory)  (1) 

Concepts  and  Trends  in 
Information  Security  (2) 

Executive  Role  in 
Information  Security: 
Risk  and  Survivability  (1) 

Information  Security  for 
System  and  Network 
Administrators  (1) 

Managing  Computer 
Security  Incident  Res¬ 
ponse  Teams  (1) 

Creating  a  Computer 
Security  Incident 
Response  Team  (1) 

Overview  of  Managing 
Computer  Security 
Incident  Response 
Teams  (1) 


Foreign  government,  1% 

Other  government 
(U.S.  state  and  local),  1% 

Federal  government,  4% 

University  or  other 
research  organization,  9% 

Department  of  Defense,  9% 


Course  Attendees  by  Category  of  Organization 
(1,747  total  attendees) 


SEI-Published  Reports  and  Other  Documents  in  2001 

Documents  published  by  the  SEI  include  the  following  types: 

■  Technical  reports  (TRs)  contribute  to  a  specific  body  of  knowledge 
by  offering  new  technical  information  about  a  software  topic, 
whether  theoretical  or  applied. 

■  Technical  notes  (TNs)  make  publicly  available  peer-to-peer 
information  about  a  software  engineering  topic,  quickly,  and 
in  an  abbreviated  format. 

■  Special  reports  (SRs)  provide  information  to  a  limited  audience 
about  software-related  work,  or  provide  non-technical  information 
about  software-related  work  to  a  general  audience. 

■  Security  improvement  modules  (SIMs)  present  a  set  of  recommended 
practices  that,  if  adopted,  can  help  an  organization  improve  its 
networked  systems  security  in  a  specific  problem  domain. 


Allen,  J.;  Kossakowski,  K.;  Ford,  G.;  Konda,  S.; 
Simmel,  D.  ■  Securing  Network  Servers  (SIM)  ■  www. 
cert.org/secu  rity-improvement/ttmodules 

Bachmann,  F.;  Bass,  L.;  Klein,  M.  m  An  Application 
of  the  Architecture-Based  Design  Method  to  the 
Electronic  House  (SR)  ■  www.sei.crnu.edu/pubiications 
/documents/00. reports  /oosroog.html 

Bachmann,  F.;  Clements,  P.;  Garlan,  D.;  Ivers,  J.; 
Little,  R.;  Nord,  R.;  Stafford,  J.  ■  SEI  Workshop  on 
Software  Architecture  Representation,  16-17  January 
2001  (SR).  ■  www.sei.cmu.edu/publications/documents 
/oi.reports/oisroio.html 

Bachmann,  F.;  Bass,  L.;  Carriere,  J.;  Clements,  P.; 
Garlan,  D.;  Ivers,  J.;  Nord,  R.;  Little,  R.  ■  Software 
Architecture  Documentation  in  Practice:  Documenting 
Architectural  Layers  {SR).  ■  www.sei.cmu.edu 
/publications/documents/oo.reports/oosroo4.html 

Bachman,  F.;  Bass,  L.;  Buhman,  C.;  Comella-Dorda, 
S.;  Long,  F.;  Robert,  J.;  Seacord,  R.;  Wallnau,  K. 
m  Technical  Concepts  of  Component-Based  Software 
Engineering  (Volume  II)  (TR)  ■  www.sei.cmu.edu 
/publications/documents/oo.reports/ootrooB.html 

Bachmann,  F.;  Bass,  L.;  Chastek,  G.;  Donohoe,  P.; 
Peruzzi,  F.  ■  The  Architecture-Based  Design  Method 
(TR)  ■  www.sei.cmu.edu/publications/documents 
/oo.reports/ootrooi.html 

Barbacci,  M.;  Ellison,  R.;  Weinstock,  C.;  Wood,  W. 

■  Quality  Attribute  Workshop  Participant's  Handbook 
(SR).  ■  www.sei.cmu.edu/publications/documents 
/oo.reports/oosrooi.html 

Barbacci,  M.;  Ellison,  R.;  Stafford,  J.;  Weinstock,  C.; 
Wood,  W.  ■  Quality  Attribute  Workshops  (TR)  ■  www. 
sei.cmu.edu/publications/documents/oi.reports 
/oitroio.html 

Bass,  L.;  John,  B.;  Kates,  J.  ■  Achieving  Usability 
Through  Software  Architecture  {IR)  m  www.sei.cmu.edu 
/publications/documents/oi.reports/oitroo5.html 

Bass,  L.;  Clements,  P.;  Donohoe,  P.;  McGregor,  J.; 
Northrop,  L.  ■  Fourth  Product  Line  Practice  Work¬ 
shop  Report  (TR)  ■  www.sei.cmu.edu/publications 
/documents/oo.reports/ootroo2.html 

Bass,  L.;  Buhman,  C.;  Comella-Dorda,  S.;  Long,  F.; 
Robert,].;  Seacord,  R.;  Wallnau,  K.  ■  Market  Assessment 
of  Component-Based  Software  Engineering  Assess¬ 
ments  (Volume  /)(TN)  ■www.sei.cmu.edu/publications 
/documents/oi.reports/OTtnoo7.html 

Bass,  L.;  Klein,  M.;  Bachman,  F.  ■  Quality  Attribute 
Design  Primitives  {IH)  m  www.sei.cmu.edu/publications 
/documents/oo.reports/ootnoiy.html 


Bergey,  J.;  Fisher,  M.;  Gallagher,  B.;  Jones,  L.; 
Northrop,  L.  ■  Basic  Concepts  of  Product  Line  Practice 
for  the  DoD  (TN)  ■  www.sei.cmu.edu/publications 
/documents/oo.reports/ootnooi.html 

Bergey,  J.;  Goethert,  W.  ■  Developing  a  Product 
Line  Acquisition  Strategy  for  a  DoD  Organization: 
A  Case  Study  {JH)  m  www.sei.cmu.edu/publications 
/documents/oi.reports/oitno2i.html 

Bergey,  J.;  O'Brien,  L.;  Smith,  D.  ■  DoD  Software  Migra¬ 
tion  Planning  (TN)  ■  www.sei.cmu.edu/publications 
/documents/oi.reports/oitnoi2.html 

Bergey,  J.;  Smith,  D.  ■  Guidelines  for  Using  OAR 
Concepts  in  a  DoD  Product  Line  Acquisition  Environ¬ 
ment  (TN)  ■  www.sei.cmu.edu/publications 
/documents/oo.reports/ootnoo4.html 

Bergey,  J.;  O'Brien,  L.;  Smith,  D.  ■  Mining  Existing 
Assets  for  Software  Product  Lines  (TN)  ■  www.sei. 
cmu.edu/publications/documents/oo.reports 
/ootnooB.html 

Bergey,  J.;  O'Brien,  L.;  Smith,  D.  ■  Options  Analysis 
for  Reengineering  (OAR):  A  Method  for  Mining  Legacy 
Assets  (TN)  ■  www.sei.cmu.edu/publications 
/documents/oi.reports/oitn  013.html 

Bergey,  J.;  Barbacci,  M.;  Wood,  W.  ■  Using  Quality 
Attribute  Workshops  to  Evaluate  Architectural  Design 
Approaches  in  a  Major  System  Acquisition:  A  Case  Study 
(TN)  ■  www.sei.cmu.edu/publications/documents 
/oo.reports/ootnoio.html 

Boehm,  B.  ■  Spiral  Development:  Experience, 
Principles,  and  Refinements;  Spiral  Development 
Workshop,  February  2000  (SR)  (edited  by  W.J.  Hansen) 
■  www.sei.cmu.edu/pubiications/documents 
/oo.reports/oosrooB.html 

Butler,  K.;  Lipke,  W.  ■  Software  Process  Achievement 
at  Tinker  Air  Force  Base  (TR)  ■  www.sei.cmu.edu 
/publications/documents/oo.reports/ootroi4.html 

Chastek,  G.;  Donohoe,  P.;  Kang,  K.;  Thiel,  S.  ■  Product 
Line  Analysis:  A  Practical  Introduction  (TR)  ■  www. 
sei.cmu.edu/publications/documents/oi.reports 
/oitrooi.html 

Clements,  P.  ■  Active  Reviews  for  Intermediate  Designs 
(TN)  ■  www.sei.cmu.edu/publications/documents 
/oo.reports/ootnoog.html 

CMMI  Product  Development  Team  ni  ARC,  V1.0: 
Assessment  Requirements  for  CMMP'^,  Version  1.0 
(TR)  ■  www.sei.cmu.edu/publications/documents 
/oo.reports/ootroii.html 


CMMI  Product  Development  Team  m  CMMP^  for 
Systems  Engineering/Software  Engineering,  Version 
1.02,  Continuous  Representation  (CMMI-SE/SW,  Vi. 02, 
Continuous)  (TR).  ■www.sei.cmu.edu/publications 
/documents/oo.reports/ootroig.html 

CMMI  Product  Development  Team  ■  CMMF^  for  Systems 
Engineering/Software  Engineering,  Version  1.02, 
Staged  Representation  (CMMI-SE/SW,  V1.02,  Staged) 
(TR)  ■  www.sei.cmu.edu/publications/documents 
/  0  0 .  re  p  0  rts/o  otroi  8 .  h  tm  I 

CMMI  Product  Development  Team  ■  CMMP’^  for  Systems 
Engineering/Software  Engineering/Integrated  Product 
and  Process  Development,  Version  1.02,  Continuous 
Representation  (CMMI-SE/SW/IPPD,  V1.02,  Continuous) 
(TR)  ■  www.sei.cmu.edu/publications/documents 
/oo.reports/ootroBi.html 

CMMI  Product  Development  Team  ■  CMMF’^  for  Systems 
Engineering/Software  Engineering/Integrated  Product 
and  Process  Development,  Version  1.02,  Staged 
Representation  (CMMI-SE/SW/IPPD,  Vi. 02,  Staged) 
(TR)  ■  www.sei.cmu.edu/publications/documents 
/oo.reports/ootroBO.html 

CMMI  Product  Development  Team  ■  SCAMPI^,  V1.0: 
Standard  CMMF'^  Assessment  Method  for  Process 
Improvement,  Method  Description,  Version  1.0  (TR) 

■  www.sel.cmu.edu/publications/documents 
/oo.reports/ootroog.html 

Cohen,  S.  ■  Case  Study:  Building  and  Communicating 
a  Business  Case  for  a  DoD  Product  Line  (TN)  ■  www. 
sei.cmu.edu/publications/documents/oi.reports 
/oitno20.html 

Cohen,  S.;  Gallagher,  B.;  Fisher,  M.;  Jones,  L.;  Krut, 

R.;  Northrop,  L.;  O'Brien,  W.;  Smith,  D.;  Soule,  A. 

■  Third  DoD  Product  Line  Practice  Workshop  Report 
(TR)  ■www.sei.cmu.edu/publications/documents 
/oo.reports/ootro24.html 

Comella-Dorda,  S.;  Wallnau,  K.;  Seacord,  R.;  Robert,  J. 

■  A  Survey  of  Legacy  System  Modernization  Approaches 
(TN)  ■  www.sei.cmu.edu/publications/documents 
/oo.reports/ootnooB.html 

Comella-Dorda,  S.;  Lewis,  G.;  Place,  P.;  Plakosh,  D.; 
Seacord,  R.  ■  Incremental  Modernization  for  Legacy 
Systems  (TN)  ■  www.sei.cmu.edu/publications 
/documents/oi.reports/oitnooG.html 

Dunaway,  D.;  Seow,  M.;  Baker,  M.  m  Analysis  of  Lead 
Assessor  Feedback  for  CBA  IPI  Assessments,  Conducted 
July  1998-October  1999  (TR)  ■  www.sei.cmu.edu 
/publications/documents/oo.reports/ootroo5.html 

Feiler,  P.;  Lewis,  B.  (Army  Aviation  and  Missile 
Command):  Vestal,  S.  (Honeywell  Technology 
Center)  ■  Improving  Predictability  in  Embedded 
Real-Time  Systems  (SR)  ■  www.sei.cmu.edu 
/publications/documents/oo.reports/oosron.html 

Gallagher,  B.  ■  Using  the  Architecture  Tradeoff  Analysis 
Method^^  to  Evaluate  a  Reference  Architecture:  A  Case 
Study  (TN)  ■  www.sei.cmu.edu/publications 
/documents/oo.reports/ootnooy.html 

Goldenson,  D.;  Fisher,  M.  ■  Improving  the  Acquisition 
of  Software-Intensive  Systems  (TR)  ■  www.sei.cmu. 
edu/publications/documents/oo.reports/ootroo3.html 

Hansen,  W.;  Foreman,  J.;  Albert,  C.;  Axelband,  E.; 
Brownsword,  L;  Forrester,  E.  ■  Spiral  Development 
and  Evolutionary  Acquisition  (SR)  ■  www.sei.cmu. 
edu/publications/documents/oi.reports/oisroo5.html 

Hansen,  W.;  Foreman,  J.;  Carney,  D.;  Forrester,  E.; 
Graettinger,  C.;  Peterson,  W.;  Place,  P.  ■  Spiral 
Development:  Building  the  Culture;  A  Report  on 
the  CSE-SEI  Workshop,  February  2000  (SR)  ■  www. 
sei.cmu.edu/publications/documents/oo.reports 
/oosrooG.html 

Humphrey,  W.  ■  The  Personal  Software  Process^  (PSf^^) 
(TR)  ■  www.sei.cmu.edu/publications/documents 
/oo.reports/ootro22.html 

Humphrey,  W.  ■  The  Team  Software  Process^'^  (TSP^’^) 
(TR)  ■www.sei.cmu.edu/publications/documents 
/oo.reports/ootro23.html 


Huy,  P.;  Lewis,  G.;  Liu,  M.  ■  Beyond  the  Black  Box: 
A  Case  Study  in  C  to  Java  Conversion  and  Product 
Extensibility  {Iti)  ■www.sei.cmu.edu/publications 
/documents/oi.reports/oitnoiy.htmi 

Kazman,  F.;  O'Brien,  L.;  Verhoef,  C.  m  Architecture 
Reconstruction  Guidelines  (TR)  ■  www.sei.cmu.edu 
/pubiications/documents/oi.reports/oitro26.html 

Kazman,  F.;  Klein,  M.;  Clements,  P.  mATAM^'^:  Method 
for  Architecture  Evaluation  (TR)  ■  www.sei.cmu.edu 
/pubiications/documents/oo.reports/ootroo4.html 

Kossakowski,  K.;  Ailen,  J.  ■  Securing  Public  Web  Servers 
(SIM)  ■  www.cert.org/secu  rity-improvement/ttmodules 

Lopez,  M.  ■  An  Evaluation  Theory  Perspective  of  the 
Architecture  Tradeoff  Analysis  Method^^  (ATAM^'^)  (TR) 

■  www.sei.cmu.edu/pubiications/documents 
/oo.reports/ootroiz.htmi 

Marz,  T.;  Plakosh,  D.  ■  Real-Time  Systems  Engineering: 
Lessons  Learned  from  Independent  Technical  Assess¬ 
ments  (TN)  ■  www.sei.cmu.edu/publications 
/documents/oi.reports/oitnoo4.html 

McAndrews,  D.  ■  The  Team  Software  Process^^:  An 
Overview  and  Preliminary  Results  of  Using  Disciplined 
Practices  (TR)  ■  www.sei.cmu.edu/publications 
/documents/oo.reports/ootrois.htmi 

Mead,  N.;  Ellison,  R.;  Linger,  R.;  Longstaff,  T.; 
McHugh,  J.  ■  Survivable  Network  Analysis  Method 
(TR)  ■  www.sei.cmu.edu/publications/documents 
/oo.reports/ootroiB.htmi 

Meyers,  B.;  Feiler,  P.;  Marz,  T.  ■  Proceedings  of  the 
Real-Time  Systems  Engineering  Workshop  (SR) 

■  WWW. sei.cmu.edu/publications/documents 
/oi.reports/oi  sr022.html 

Moitra,  S.;  Konda,  S.  ■  A  Simulation  Model  for 
Managing  Survivability  of  Networked  Information 
Systems  (TR)  ■  www.sei.cmu.edu/pubiications 
/documents/oo.reports/ootro20.htmi 

Moitra,  S.;  Konda,  S.  ■  The  Survivability  of  Network 
Systems:  An  Empirical  Analysis  (TR)  ■  www.sei.cmu. 
edu/publications/documents/oo.reports/ootro2i.html 

Moore,  A.;  Ellison,  R.;  Linger,  R.  m  Attack  Modeling  for 
Information  Security  and  Survivability  (TN)  ■  www. 
sei.cmu.edu/publications/documents/oi.reports 
/oitnooi.html 

Oberndorf,  T.;  Brownsword,  L.;  Sledge,  C.  (PhD)  ■  An 
Activity  Framework  for  COTS-Based  Systems  (TR)  ■  www. 
sei.cmu.edu/pubIications/documents/oo.reports 
/ootroio.htmi 

O'Brien,  L.  ■  Architecture  Reconstruction  to  Support 
a  Product  Line  Effort:  Case  Study  {TH)  m  www.sei.cmu. 
edu/publications/documents/oi.reports/oitnoi5.html 

Paulk,  M.;  Goldenson,  D.;  White,  D.  ■  The  1999  Survey 
of  High  Maturity  Organizations  (SR)  ■  www.sei.cmu. 
edu/publications/documents/oo.reports/oosroo2.html 

Paulk,  M.;  Chrissis,  M.  ■  The  November  1999  High- 
Maturity  Workshop  (SR)  ■  www.sei.cmu.edu 
/publications/documents/oo.reports/oosrooB.html 

Place,  P.  ■  Guidance  on  Commercial-Based  and  Open 
Systems  for  Coast  Guard  Program  Managers  (SR)  ■  www. 
sei.cmu.edu/publications/documents/oo.reports 
/oosroiB.html 

Place,  P.  ■  Guidance  on  Commercial-Based  and  Open 
Systems  for  Program  Managers  (SR)  ■  www.sei.cmu. 
edu/publications/documents/oi.reports/oisroo8.html 

Plakosh,  D.;  Comella-Dorda,  S.;  Lewis,  G.;  Place,  P.; 
Seacord,  R.  ■  Maintaining  Transactional  Context:  A 
Model  Problem  (TR)  ■  www.sei.cmu.edu/publications 
/documents/oi.reports/oitroi2.html 

Seacord,  R.;  Mundie,  D.;  Boonsiri,  S.  ■  K-BACEE:  A 
Knowledge-Based  Automated  Component  Ensemble 
Evaluation  Tool  (TN)  ■  www.sei.cmu.edu/publications 
/documents/oo.reports/ootnois.html 


Books 

Allen,  J.  ■  The  CERT®  Guide  to  System  and  Network 
Security  Practices  m  Boston,  MA:  Addison-Wesley,  2001. 

Clements,  P.  (editor)  ■  Constructing  Superior 
Software  m  Indianapolis,  IN:  Macmillan  Technical 
Publishing,  2000. 

Clements,  P.;  Kazman,  R.;  Klein,  M.  m  Evaluating 
Software  Architectures:  Methods  and  Case  Studies 
m  Boston,  MA:  Addison-Wesley,  2001. 

Clements,  P.;  Northrop,  L.  ■  Software  Product  Lines: 
Practices  and  Patterns  m  Boston,  MA:  Addison- 
Wesley,  2001. 

Meyers,  C.;  Oberndorf,  P.  ■  Managing  Software 
Acquisition:  Open  Systems  and  COTS  Products  m  Boston, 
MA:  Addison-Wesley,  2001. 

Wallnau,  K.;  Hissam,  S.;  Seacord,  R.  ■  Building 
Systems  from  Commercial  Componentsm  Boston,  MA: 
Addison-Wesley,  2001. 


Book  Chapters 

Bass,  L.  ■  Ch.  21,  "Software  Architecture  Design  Prin¬ 
ciples,"  B89-40B  ■  Component-Based  Software  Engin¬ 
eering:  Putting  the  Pieces  Together  m  Councill  and 
Heinemann,  eds.  Boston,  MA:  Addison-Wesley,  2001. 

Bass,  L.  ■  Ch.  22,  "Constructing  Wearable  Computers 
for  Maintenance  Applications,"  66B-694  ■  Funda¬ 
mentals  of  Wearable  Computers  and  Augmented 
Reality  m  Barfield  and  Caudell,  eds.  Mahwah,  NJ: 
Lawrence  Erlbaum  Associates  Inc.,  2001. 

Bass,  L.  ■  Ch.  5,  "Interaction  Technologies:  Beyond 
the  Desktop,"  81-96  ■  User  Interfaces  for  All 
m  Stephanidis,  ed.  Mahwah,  NJ:  Lawrence  Erlbaum 
Associates  Inc.,  2001. 

Clements,  P.  ■  Ch.  11,  "From  Subroutines  to  Subsys¬ 
tems,"  189-198  ■  Component-Based  Software  Engi¬ 
neering:  Putting  the  Pieces  Together  m  Councill  and 
Heinemann,  eds.  Boston,  MA:  Addison-Wesley,  2001. 

Clements,  P.  ■  Introduction,  Ch.  8,  "On  a  'Buzzword': 
Hierarchical  Structure,"  157-159  ■  Software  Funda¬ 
mentals,  Collected  Papers  m  Parnas,  Hoffman,  and 
Weiss,  eds.  Boston,  MA:  Addison-Wesley,  2001. 

Clements,  P.  ■  Ch.  16,  "The  Modular  Structure  of 
Complex  Systems,"  B19-336  ■  Software  Fundamen¬ 
tals,  Collected  Papers  m  Parnas,  Hoffman,  and  Weiss, 
eds.  Boston,  MA:  Addison-Wesley,  2001. 

Clements,  P.  ■  Ch.  18,  "A  Rational  Design  Process: 
How  and  Why  to  Fake  It,"  B55-368  ■  Software  Funda¬ 
mentals,  Collected  Papers  m  Parnas,  Hoffman,  and 
Weiss,  eds.  Boston,  MA:  Addison-Wesley,  2001. 

Herbsleb,  J.;  Zubrow,  D.;  et  al.  ■  Ch.  9,  "Software 
Quality  and  the  Capability  Maturity  Model,"  415-424 

■  Software  Process  Improvementm  Hunter  and  Thayer, 
eds.  LosAlamitos,  CA:  IEEE  Computer  Society,  2001. 

Kazman,  F.  ■  "Software  Architecture,"  47-68  ■  Hand¬ 
book  of  Software  Engineering  and  Knowledge  Engin¬ 
eering  m  Chang,  ed.  Riveredge,  NJ:  World  Scientific 
Pub.  Co.,  2001. 

Paulk,  M.  ■  "XP  from  a  CMM®  Perspective"  ■  extreme 
Programming  Pros  and  Cons:  What  Questions  Remain? 
IEEE  Computer  Society  Dynabook  [online]  ■  computer, 
org/seweb/dynabook/index.htm  or  http://computer. 
org/seweb/dynabook/PaulkCom.htm.  (November  2000). 

Stafford,  J.  ■  Ch.  20,  "Software  Architecture,"  B71-387 

■  Component-Based  Software  Engineering:  Putting 
the  Pieces  Together  mCounclW  and  Heinemann,  eds. 
Boston,  MA:  Addison-Wesley,  2001. 


The  Addison-Wesley  SEI  Series  in  Soft¬ 
ware  Engineering^®  complements  other 
means  that  the  SEI  uses  to  provide 
information  to  the  software  engineer¬ 
ing  community,  such  as  the  SEI  Web 
site,®Uhe  CERT  Web  site,®®  news@  sei, 
news@sei  interactive,^^  and  the 
Software  Engineering  Information 
Repository.®®  It  provides  software 
engineering  practitioners  with  current, 
in-depth  information  that  supports 
their  use  of  mature  and  continually 
improving  software  engineering 
practices.  The  works  in  the  series,  like 
all  SEI  technical  work,  are  intended  to 
improve  the  state  of  the  practice  of 
software  engineering;  that  is,  they  are 
practitioner  oriented,  not  theoretical. 

The  SEI  published  five  new  volumes 
in  the  series  in  FY2001.  Most  books 
published  in  the  SEI  Series  are  based 
on  SEI  work,  but  the  series  also  includes 
some  books  that  are  based  on  non-SEI 
work  that  complements  the  SEI  tech¬ 
nical  program  and  helps  to  extend  the 
practice  of  software  engineering.  SEI 
and  non-SEI  authors  largely  donate 
their  own  time  and  energy  to  writing 
the  books  in  the  SEI  Series. 


Published  Conference 
Proceedings 

Akiyama,  Y.  ■  "Object-Oriented  Fusion-Diffusion 
Mechanism  to  Handle  Crisp  and  Linguistic  Inform¬ 
ation  for  Better  Human-System  Interface,"  IB13  - 
IB18  ■  Pro-ceedings  of  the  2000  IEEE  International 
Conference  on  Systems,  Man,  and  Cybernetics,  Vol.  2 

■  Nashville,  TN,  October  8-11,  2000  ■  Piscataway,  NJ: 
IEEE  Computer  Society,  2000. 

Browne,  H.K.;  Arbaugh,  W.;  McHugh,  J.;  Fithen,  W. 

■  "A  Trend  Analysis  of  Exploitations,"  214-229  ■  Pro¬ 
ceedings  of  the  IEEE  Symposium  on  Security  and 
PrivacymOaMand,  CA,  May  14-16,  2001  ■  Los  Alamitos, 
CA:  IEEE  Computer  Society,  2001. 

Comella-Dorda,  S.;  Wallnau,  K.;  Seacord,  R.;  Robert,  J. 

■  "A  Survey  of  Black-Box  Modernization  Approaches 
for  Information  Systems,"  17B-i8b  ■  Proceedings  of 
the  International  Conference  on  Software  Maintenance 
m  San  Jose,  CA,  October  11-14, 2000  ■  Los  Alamitos, 
CA:  IEEE  Computer  Society,  2000. 

Cross,  S.  ■  "Pursue  Better  Software"  ■  Proceedings 
of  the  nth  International  Conference  on  Software 
Quality  {on  CD-ROM)  ■  Pittsburgh,  PA,  October  22-24, 
2001  ■  Milwaukee,  Wl:  American  Society  for  Quality 
(ASQ),  2001. 

Feiler,  P.;  Walker,  J.  ■  "Adaptive  Feedback  Scheduling 
of  Incremental  and  Design-to-Time  Tasks,"  B18-B26 

■  Proceedings  of  the  23rd  International  Conference 
on  Software  Engineering  mloronto,  Ontario,  Canada, 
May  12-19,  2001  ■  Los  Alamitos,  CA:  IEEE  Computer 
Society,  2001. 

Kazman,  F.  ■  "Introduction  to  the  Software  Archi¬ 
tecture  Minitrack,"  B825  ■  Proceedings  ofthesuth 
Annual  Hawaii  International  Conference  on  Systems 
Science  m  Maui,  HI,  January  b-6,  2001  ■  Los  Alamitos, 
CA:  IEEE  Computer  Society,  2001. 

Kazman,  F.;  Asundi,  J.;  Klein,  M.  ■  "Quantifying  the 
Costs  and  Benefits  of  Architectural  Decisions,"  297- 
306  ■  Proceedings  of  the  23rd  International  Con¬ 
ference  on  Software  Engineering  m  Toronto,  Ontario, 
Canada,  May  12-19,  2001  ■  Los  Alamitos,  CA:  IEEE 
Computer  Society,  2001. 


Levine,  L.;  Syzdek,  G.  ■  "Across  the  Divide:  Two 
Organizations  Form  a  Virtual  Team  and  Codevelop 
a  Product,"  147-172  ■  Fourth  Working  Conference  on 
Diffusing  Software  Product  and  Process  Innovations 
m  Banff,  Alberta,  Canada,  April  7-10,  2001  ■  Norwell, 
MA:  Kluwer  Academic  Publishers,  2001. 

Linger,  R.;  McHugh,  J.;  Mead,  N.;  Ellison,  R.;  Lipson, 
H.;  Longstaff,  T.  ■  "A  Research  Agenda  for  Survivable 
Systems,"  103-106  ■  Proceedings  of  the  Third  Infor¬ 
mation  Survivability  Workshop:  "Research  Directions 
and  Research  Collaborations  to  Protect  the  Global 
Information  Society"  m  Cambridge,  MA,  October  24-26, 

2000  ■  Piscataway,  NJ:  IEEE  Computer  Society,  2000. 

Mead,  N.;  Ellison,  R.;  Linger,  R.;  Lipson,  H.;  McHugh, 
J.  ■  "Life-Cycle  Models  for  Survivable  Systems,"  123- 
126  ■  Proceedings  of  the  Third  Information  Surviv¬ 
ability  Workshop:  "Research  Directions  and  Research 
Collaborations  to  Protect  the  Global  Information 
Society"  ■  Cambridge,  MA,  October  24-26,  2000 

■  Piscataway,  NJ:  IEEE  Computer  Society,  2000. 

Monarch,  1.  ■  "Understanding  Software  Engineering 
Failure  as  Part  of  the  SWEBOK,"  191-192  ■  Proceedings 
of  the  iif-th  Conference  on  Software  Engineering  Edu¬ 
cation  and  Training  m  Charlotte,  NC,  February  19-21, 

2001  ■  Los  Alamitos,  CA:  IEEE  Computer  Society,  2001. 

Paulk,  M.  ■  "Applying  SPC  to  the  Personal  Software 
Process^”,"  77-87  ■  Proceedings  of  the  Tenth  Inter¬ 
national  Conference  on  Software  Quality  m  New 
Orleans,  LA,  October  16-18,  2000  ■  Milwaukee,  Wl: 
American  Society  for  Quality  (ASQ),  2000. 

Paulk,  M.  ■  "Extreme  Programming  from  a  CMM 
Perspective,"  from  the  XP  Universe  Conference 
Papers  ■  IEEE  Software  i8,  6  (November-December 
2001):  19-26. 

Ryan,  P.,  et  al.  ■  "Non-Interface,  Who  Needs  It?" 
237-238  ■  Proceedings  of  the  ii^th  IEEE  Computer 
Security  Foundations  Workshop  m  Cape  Breton,  Nova 
Scotia,  Canada,  June  11-13,  2001  ■  Los  Alamitos,  CA: 
IEEE  Computer  Society,  2001. 

Seacord,  R.;  Mundie,  D.;  et  al.  ■  "K-BACEE:  Knowledge- 
Based  Automated  Component  Ensemble  Evaluation," 
56-62  ■  Proceedings  of  the  27th  Euromicro  Conference 
m  Warsaw,  Poland,  September  4-6,  2001  ■  Los 
Alamitos,  CA:  IEEE  Computer  Society,  2001. 

Sha,  L.,  et  al.  ■  "An  Introduction  to  Control  and 
Scheduling  Co-Design,"  4865-4870  ■  Proceedings 
of  the  39th  IEEE  Conference  on  Decision  and  Control 
m  Sydney,  Australia,  December  12-15,  2000 

■  Piscataway,  NJ:  IEEE  Computer  Society,  2000. 

Sha,  L.,  et  al.  ■  "Online  Control  Optimization  Using 
Load  Driven  Scheduling,"  4877-4882  ■  Proceedings 
of  the  39th  IEEE  Conference  on  Decision  and  Control 

■  Sydney,  Australia,  December  12-15,  2000 

■  Piscataway,  NJ:  IEEE  Computer  Society,  2000. 

Shimeail,  T.;  Dunlevy,  C.;  Williams,  P.  ■  "Intelligent 
Analysis  for  Internet  Security:  Ideas,  Barriers,  and 
Possibilities,"  63-74  ■  Proceedings  of  the  Intern¬ 
ational  Society  for  Optical  Engineering  m  Boston,  MA, 
November  5-8,  2000  ■  Bellingham,  WA:  International 
Society  for  Optical  Engineering,  2001. 

Stoermer,  C.;  O'Brien,  W.  ■  "MAP-Mining  Architec¬ 
tures  for  Product  Line  Evaluations,"  35-44  ■  Proceed¬ 
ings  of  the  Working  lEEE/IFIP  Conference  on  Software 
Architecture  m  Amsterdam,  Netherlands,  August  28- 
31,  2001  ■  Los  Alamitos,  CA:  IEEE  Computer  Society,  2001. 

Wallnau,  K.;  Stafford,  J.  ■  "Ensembles:  Abstractions 
for  a  New  Class  of  Design  Problem,"  48-55  ■  Proceed¬ 
ings  of  the  27th  Euromicro  Conference  m  Warsaw, 
Poland,  September  4-6,  2001  ■  Los  Alamitos,  CA: 
IEEE  Computer  Society,  2001. 

Wallnau,  K.  ■  "Methods  of  Component-Based  Software 
Engineering:  Essential  Concepts  and  Classroom  Exp¬ 
erience,"  709-710  ■  Proceedings  of  the  23rd 
International  Conference  on  Software  Engineering 
m  Toronto,  Ontario,  Canada,  May  12-19,  2001 

■  Los  Alamitos,  CA:  IEEE  Computer  Society,  2001. 


Journal  Articles 

Allen,  J.;  Alberts,  C.;  Behrens,  S.;  Laswell,  B.;  Wilson, 
W.  ■  "Improving  the  Security  of  Networked  Systems." 

■  CrossTalk  13, 10  (October  2000):  7-11. 

Bachmann,  F.;  Bass,  L.  ■  "Managing  Variability  in 
Software  Architectures"  ■  Software  Engineering 
Notes  26,  3  (May  2001):  126-132. 

Boehm,  B.;  Hansen,  W.  ■  "The  Spiral  Model  as  a  Tool 
for  Evolutionary  Acquisition"  ■  CrossTalk  74,  5  (May 
2001):  4-11. 

Carney,  D.;  Hissam,  S.;  Plakosh,  D.  ■  "Complex  COTS- 
Based  Software  Systems:  Practical  Steps  for  Their 
Maintenance"  m  Journal  of  Software  Maintenance: 
Research  and  Practice  12,  6  (November-December 
2000):  357-376. 

Carter,  L.;  Moneymaker,  P.  ■  "Managing  the  Invisible 
Aspects  of  High-Performance  Teams"  ■  CrossTalk  74,  5 
(May  2001):  29-33. 

Cross,  S.;  Graettinger,  C.  ■  "The  Software  Engineer: 
Skills  for  Change"  ■  Crosstalk  74,  6  (June  2001):  22-24. 

Cross,  S.  ■  "The  Vulnerability  of  the  Internet" 

■  Economic  Perspectives  5,  2  (May  2000):  21-24. 

Daughtrey,  T.;  Horch,  J.;  Paulk,  M.;  Meredith,  D.; 
&  Moitra,  D.  ■  "Standards:  Help,  Hindrance,  or 
Delusion?"  ■  ASQ  Software  Quality  Professional  3,  4 
(September  2001):  23-25. 

El-Emam,  K.;  Goldenson,  D.;  McCurley,  J.;  Herbsleb,  J. 

■  "Modeling  the  Likelihood  of  Software  Process 
Improvement:  An  Exploratory  Study"  ■  Empirical 
Software  Engineering  6,  3  (September  2001):  207-229. 

Embar,  C.  ■  "The  State  of  Software  Development  in 
India"  ■  Crosstalk  74,  8  (August  2001):  9-11. 

Ferguson,  J.  ■  "Crouching  Dragon,  Hidden  Software: 
Software  in  DoD  Weapon  Systems"  ■  IEEE  Software 
78,  4  (July-August  2001):  105-107. 

Fithen,  W.;  McHugh,  J.  ■  "Windows  of  Vulnerability: 
A  Case  Study  Analysis"  ■  Computer  33, 12  (December 

2000) :  52-59. 

Hayes,  W.,;  Kamatar,  J.  ■  "An  Experience  Report  on 
the  Personal  Software  Process."  ■  IEEE  Software  77,  6 
(November-December  2000):  85-89. 

Hefley,  W.;  Curtis,  B.;  Miller,  S.  ■  "Leading Through 
Today's  Turmoil:  Strategic  IT  Human  Capital  Manage¬ 
ment"  ■  Cutter  IT  Journal  74,  6  (June  2001):  11-18. 

Hernan,  S.  ■  "Security  Often  Sacrificed  for  Conven¬ 
ience"  ■  CrossTalk  13, 10  (October  2000):  18-19. 

Humphrey,  W.  ■  "Engineers  Will  Tolerate  a  Lot  of 
Abuse"  ■  IEEE  Software  i8,  5  (September-October 

2001) :  13-15. 

Humphrey,  W.  ■  "Software-A  Performing  Science?" 
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Mead,  N.;  Lipson,  H.;  Sledge,  C.  ■  "Toward  Survivable 
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West-Brown,  M.  ■  "Avoiding  the  Trial-By-Fire 
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Zubrow,  D.  ■  "The  Measurement  and  Analysis  Process 
Area  in  CMMP”"  ■  Newsletter  of  the  American  Society 
for  Quality  Software  Division  (Spring  2001):  13-14. 


Keynote  Presentations 

Albert,  C.  ■  "COTS:  Lessons  We  Continue  to  Learn." 
Washington  Chapter  of  the  Association  of  Government. 

Carney,  D.  a  "Today's  Market  Economy:  A  Difficult 
Time  for  the  Investor."  13th  Annual  Software  Engin¬ 
eering  Process  Group  Conference.  New  Orleans,  LA, 
March  2001. 

Clements,  P.  ■  "Software  Product  Lines:  A  New  Para¬ 
digm  for  the  New  Millennium."  Korean  Conference  of 
Software  Engineering.  Kangwondo,  Republic  of  Korea, 
February  8-9,  2001. 

Cross,  S.  ■  "The  Role  of  Technology  Transition  Plan¬ 
ning  in  Software  R  &  D."  DoD  Software  Engineering 
Science  and  Technology  Summit.  Los  Angeles,  CA, 
August  7-9,  2001  ■  "Pursue  Better  Software."  11th 
International  Conference  on  Software  Quality. 
Pittsburgh,  PA,  October  22-24,  2001  ■  "Winning  the 
SOFTWAR."  Association  of  the  United  States  Army 
Symposium.  Long  Beach,  CA,  May  2001  ■  "Towards 
Component-Based  Systems."  Unversity  of  Southern 
California  Center  for  Software  Engineering  Conference. 
Los  Angeles,  CA,  February  6-9,  2001. 

Humphrey,  W.  ■  "What  is  Excellence?"  11th  Interna¬ 
tional  Conference  on  Software  Quality.  Pittsburgh, 

PA,  October  22-24,  2001  ■  "What  is  Excellence?" 
European  Software  Engineering  Process  Group  Con¬ 
ference.  Amsterdam,  Netherlands,  June  2001  ■  "What 
is  Excellence?"  Lockheed  Martin  Symposium.  Orlando, 
FL,  June  2001  ■  "What  if  Your  Life  Depended  on 
Software?"  7th  European  Conference  on  Software 
Process  Improvement.  Copenhagen,  Denmark,  Nov¬ 
ember  7-9,  2000  ■  "What  if  Your  Life  Depended  on 
Software?"  Software  Quality  Association  in  Denver 
Conference.  Denver,  CO,  October  2001  ■  "Competing 
in  the  Software  Age."  1st  Annual  Canadian  Quality 
Assurance  Institute  Conference.  Toronto,  Ontario, 
Canada,  September  24-26,  2001. 

Levine,  L.  ■  "Managing  the  Multiple  Dimensions  of 
Change:  Process,  Technology,  People,  Culture."  The 
MITRE  Corporation,  Change  Management  and  Innov¬ 
ation  Diffusion,  Technology  Exchange  Meeting.  McLean, 
VA,  February  2,  2001. 

Northrop,  L.  1  "Reuse  That  Pays."  23rd  International 
Conference  on  Software  Engineering.  Toronto,  Ontario, 
Canada,  May  12-19,  2001  ■  "Product  Line  Practice." 
Dagstuhi  Seminar  on  Product  Family  Development 
■  "Software  Product  Lines."  Ground  System  Archi¬ 
tecture  Workshop.  2001  ■  "Software  Product  Lines." 
International  Association  for  Product  Development 
Workshop  ■  "Managing  Product  Life  Cycles."  Austin, 
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Education  Today."  OOPSLA  Educators'  Symposium. 
Tampa  Bay,  FL,  October  14-18  ■  "Software  Product 
Lines."  Siemens  Corporate  Research  Day. 

Over,  J.  ■  VERITAS  Software  Engineering  Development 
Conference. 
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Government  Testimony 

Carpenter,  J.  ■  "Computer  Security  Issues  that  Affect 
Federal,  State,  and  Local  Governments  and  the  Code 
Red  Worm"  ■  House  of  Representatives  Committee  on 
Government  Reform,  Subcommittee  on  Government 
Efficiency,  Financial  Management  and  Intergovern¬ 
mental  Relations  ■  Washington,  DC,  August  29,  2001 
■  www.cert.org/congressional_testimony/Carpenter 
_te  sti  m  0  n  y_A  u  g2  9 .  htm  I 


Pethia,  R.  ■  "Information  Technology-Essential  But 
Vulnerable;  How  Prepared  Are  We  for  Attacks?"  ■  House 
of  Representatives  Committee  on  Government  Reform, 
Subcommittee  on  Government  Efficiency,  Financial 
Management  and  Intergovernmental  Relations 
■  Washington,  DC,  September  26,  2001  ■  www.cert. 
org/congressional_testimony/Pethia_testimony_ 
Sep26.html 


Shimeall,  T.  ■  "Internet  Fraud"  ■  Pennsylvania  House 
Committee  on  Commerce  and  Economic  Development, 
Subcommittee  on  Economic  Development  ■  Harrisburg, 
PA,  August  23,  2001  ■  www.cert.org/congressional_ 
testimony/Shimeall_testimony_Aug23.html 


Tutorials 

Bass,  L.  &  Bachman,  F.  ■  "Introduction  to  Attribute- 
Driven  Design."  23rd  International  Conference  on 
Software  Engineering.  Toronto,  Ontario,  Canada, 
May  12-19,  2001. 

Brownsword,  L.  ■  "COTS-Based  Systems  for  Program 
Managers."  13th  Annual  Software  Technology  Con¬ 
ference.  Salt  Lake  City,  UT,  April  29-May  4,  2001. 

Brownsword,  L.;  Gallagher,  B.  ■  "Rational  Unified 
Process  and  the  Capability  Maturity  Model-Integrated 
for  Systems  and  Software  Engineering."  European 
Software  Engineering  Process  Group  Conference. 
Amsterdam,  Netherlands,  June  2001. 

Clark,  B.;  Green,  D.  1  "Managing  Software  Projects 
with  Metrics."  13th  Annual  Software  Technology 
Conference.  Salt  Lake  City,  UT,  April  29-May  4,  2001. 


Little,  R.  ■  "IEEE  1516.1:  The  High  Level  Architecture 
Interface  Specification."  International  Conference  and 
Exhibition  on  Training,  Education,  and  Simulation. 
Lille,  France,  April  24-26,  2001  ■  "High  Level  Archi¬ 
tecture."  European  Simulation  Interoperability  Work¬ 
shops.  University  of  Westminster,  UK,  June  25-27,  2001 
■  "High  Level  Architecture."  Interservice/Industry 
Training,  Simulation,  and  Education  Conference. 
Orlando,  FL,  November  26-29, 2001. 

Nord,  R.  ■  "Effective  Use  of  UML  for  Software  Archi¬ 
tecture  Design."  23rd  International  Conference  on 
Software  Engineering.  Toronto,  Ontario,  Canada,  May 
12-19,  2001  ■  "Global  Analysis."  23rd  International 
Conference  on  Software  Engineering.  Toronto,  Ontario, 
Canada,  May  12-19,  2001. 

Paulk,  M.  ■  "Statistical  Techniques  of  High  Maturity 
Organizations."  Applications  of  Software  Measure¬ 
ment  Conference.  San  Diego,  CA,  February  12-16,  2001. 


Seacord,  R.  ■  "Building  Systems  from  Commercial 
Components:  Method  Foundations  Tutorial."  3rd  Joint 
Meeting  of  the  European  Software  Engineering 
Conference  and  ACM  SIGSOFT's  Symposium  on  the 
Foundations  of  Software  Engineering.  Vienna,  Austria, 
September  10-14,  2001. 

Smith,  D.;  Bergey,  J.;  O'Brien,  L.  ■  "Mining  Compo¬ 
nents  for  Software  Architecture  and  Product  Lines." 
23rd  International  Conference  on  Software  Engin¬ 
eering.  Toronto,  Ontario,  Canada,  May  12-19,  2001. 

Zubrow,  D.  ■  "Managing  Software  Projects  with 
Metrics."  Indian  Software  Engineering  Process  Group 
Conference,  2001.  New  Delhi,  India,  February  2001. 

■  "Organizational  Performance  Measurement." 
Indian  Software  Engineering  Process  Group  Conference, 
2001.  New  Delhi,  India,  February  2001. 


Customer  Survey 

Each  year,  the  SEI  and  the  DoD  Joint  Program  Office  ask  DoD  organizations 
that  have  worked  with  the  SEI  to  rate  the  institute's  work  in  seven  cate¬ 
gories.  The  chart  beiow  shows  the  average  ratings,  on  a  five-point  scaie 
with  five  being  the  highest,  from  39  DoD  organizations  that  worked  with 
the  SEi  in  fyzooo  (the  most  recent  results  available). 
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I  Would  you  recommend  the  SEI? 
I  I  Overall 


News  Conferences  and  Press  Releases 

The  SEI  conducted  two  news  conferences  this  year.  The  first  was  to  announce 
the  launching  of  the  Internet  Security  Alliance  (see  page  13),  and  the  second 
was  to  discuss  the  problems  caused  by  the  Code  Red  worm. 

Four  press  releases®'  were  issued,  and  are  summarized  below. 


July  24, 2001,  Software  Engineering  Institute  and 
Defense  Acquisition  University  Form  Strategic 
Partnership  ■  The  Software  Engineering  Institute 
(SEI)  and  the  Defense  Acquisition  University  (DAU) 
today  signed  a  letter  of  intent  to  form  a  strategic 
partnership  to  improve  software  education  and 
training  opportunities  for  members  of  the  defense 
acquisition  workforce. 


April  19, 2001,  Internet  Security  Alliance  Launched 
■  A  new  alliance  was  formally  launched  today.  The 
internet  Security  Alliance  is  a  response  to  the  urgent 
economic  security  challenge  posed  by  a  growing 
dependence  on  e-commerce.  The  alliance  aims 
to  enhance  the  information  security  of  member 
companies  and,  ultimately,  the  greater  internet 
community  worldwide. 


January  29,  2001,  Software  Engineering  Institute's 
CERT  Coordination  Center  Urges  Organizations  to 
Update  Software  ■  A  newly  discovered  vulnerability 
in  arguably  the  Internet's  single  most  important 
software  package  threatens  the  Internet's  integrity. 
On  Monday,  Jan.  29,  2001,  the  CERT  Coordination 
Center  (CERT/CC)  and  the  COVERT  Labs  at  PGP  Security 
simultaneously  released  advisories  describing  serious 
new  vulnerabilities  in  BIND,  the  most  commonly 
used  software  for  domain  name  system  (DNS)  servers. 

August  21,  2001,  Internet  Security  Experts  in  the 
United  States  and  Australia  Join  Forces  ■  The  CERT 
Coordination  Center  and  the  Australian  Computer 
Emergency  Response  Team  (AusCERT)  have  signed  a 
collaborative  agreement  to  formalize  their  working 
partnership. 


Media  Coverage 


During  this  fiscal  year,  SEI  staff  members  participated  in  449  individual 
interviews  with  members  of  the  news  media.  Articles  appeared  in  more 
than  100  different  publications,  including  U.S.  News  G7  World  Report,  The 
New  York  Times,  The  Wall  Street  Journal,  Federal  Computer  Week,  and  The 
Washington  Post. 

SEI  staff  members  provided  information  about  such  topics  as  open- 
source  software  in  government  systems  for  Federal  Computer  Week,  and 
the  current  state  of  software  development  for  Information  Week  and  IEEE 
Software.  In  July  and  August  alone,  staff  members  from  the  CERT  Coor¬ 
dination  Center  participated  in  86  interviews  to  discuss  the  Code  Red 
worm  with  73  different  news  agencies.  They  provided  information  about 
the  worm,  ranging  from  possible  threats  to  local,  state,  and  federal  Web 
sites  for  Government  Technology,  to  information  about  which  home 
computers  might  be  affected  and  how  the  worm  could  have  been  prevented 
for  the  Seattle  Post-Intelligencer. 

A  selected  bibliography  of  articles  that  resulted  from  interviews  with  SEI 
staff  members  follows. 


Business  Week  ■  "A  Chat  with  Worm  Hunter  Richard 
Pethia."  October  23,  2001  ■  Richard  Pethia  discusses 
security  breaches  and  viruses  on  the  Internet  in  a 
question  and  answer  session  ■  www.businessweek 
.com/technology/content/oct200i/tc200ii  023_1269.htm 

CIO.com  ■  "CIO  Research  Reports."  May  1,  2001 

■  A  study  by  CIO.com  found  that  the  majority  of 
those  using  a  formal  process  for  software  develop¬ 
ment  are  using  the  Software  Engineering  Institute's 
Software  Capability  Maturity  Model  (SW-CMM).  SW- 
CMM  seems  to  be  a  relatively  new  but  growing  practice 
among  CIO. corn's  site  visitors  ■www2.ci0.com/research 
/surveyreport.cfm?id=29. 

Computerworld  ■  "Real-Time  Operating  Systems." 
June  11, 2001  ■  New  distributed-computing  applica¬ 
tions  are  pushing  operating  system  developers  into 
research  and  standards  development.  Government 
programs  such  as  the  DARPA's  Quorum  committee  are 
at  work  on  real-time  resource  management,  network¬ 
ing,  data  management  and  middleware  technologies. 
Quotes  Mike  Gagliardi  of  the  SEI. 

Computerworld  ■  "Record  Year  for  Security  Breaks 
Expected."  November  27,  2001  aThe  CERT  Coordination 
Center  at  Carnegie  Mellon  University  in  Pittsburgh 
estimates  that  the  number  of  security  incidents 
reported  this  year  will  surpass  40,000,  more  than 
twice  the  number  of  incidents  reported  last  year 

■  www.cnn.com/2001/TECH/internet/11/26/security. 
reports,  idg/index.htm  I 


Federal  Computer  Week  ■  "Building  a  Brain  Trust." 
April  30,  2001  ■  The  Social  Security  Administration, 
alarmed  by  losing  employees  with  vast  amounts  of 
expertise,  chose  to  apply  the  Capability  Maturity 
Model  (CMM)  to  its  whole  software-development 
organization. 

Federal  Computer  Week  ■  "Worm  Not  Linked  to 
Attacks."  September  19, 2001  ■  Attorney  General  John 
Ashcroft  says  the  Nimda  worm  is  not  connected  to 
the  September  11  terrorist  attacks.  The  CERT  Coordin¬ 
ation  Center  began  to  see  signs  of  the  worm  on  the 
morning  of  September  18  ■  www.fcw.com/fcw/ 
articles/200i/09i7/web-worm-09-i9-oi.asp 

Government  Executive  Magazine  ■  "GAO  Tells  Pentagon 
to  Share  Software  Best  Practices."  April  16,  2001  ■  The 
GAO  compared  the  information  technology  practices 
of  the  two  largest  units  within  each  of  the  depart¬ 
ment's  services  with  Carnegie  Mellon  University's 
IDEAL^’^  model  ■www.govexec.com/dailyfed/0401 
/04i6oiti.htm 

Journal  of  Systems  and  Software  59  ra  "An  Assess¬ 
ment  of  Systems  and  Software  Engineering  Scholars 
and  Institutions  {1996-2000)."  October  15,  2001  ■  This 
report  names  the  top  institutions  and  researchers/ 
scholars  for  systems  and  software  engineering  (SSE). 
CMU/SEI  is  ranked  as  the  top  institution  for  SSE. 

MenandMice.com  ■  "Men  &  Mice  Research  on  BIND 
Security  Hole."  March  6,  2001  ■  Results  of  surveys 
conducted  by  Men  &  Mice  to  measure  the  incidence 
of  the  vulnerability  connected  with  BIND.  Results 
show  that  only  a  week  after  the  CERT  announcement 
the  number  of  vulnerable  BIND  servers  has  dropped 
down  to  16.73%. 


New  York  Times  ■  "Critical  Internet  Software  Found 
Vulnerable."  January  29,  2001  ■  Article  about  CERT/CC 
announcement  of  vulnerabilities  in  BIND  software. 

New  York  Times  ■  "Cyberspace  Seen  as  Potential  Battle¬ 
ground."  November  23,  2001  ■  Government  officials 
are  warning  that  cyberattacks  are  likely  as  retribution 
for  the  United  States  campaign  in  Afghanistan.  The  CERT 
Coordination  Center  at  Carnegie  Mellon  University  pub¬ 
lished  a  memorandum  outliningthe  nature  of  the 
new  types  of  attacks.  Quotes  Kevin  Houle  of  the 
CERT/CC  ■  www.nytimes.com/2001/11/23/technology 
/23CYBE.html?ex=i007798283&ei=i&en=fif5c63aa276f8e2 

NewsFactor  Network  ■  "Hack  Attacks  Become  Deadlier: 
Is  There  a  Defense?"  November  28,  2001  ■  Denial-of- 
service  (DoS)  attacks  overwhelm  computers,  Web  sites 
and  servers,  and  hackers  are  increasingly  aiming 
them  at  routers,  according  to  a  recent  report  by  the 
CERT/CC.  Quotes  Kevin  Houle  of  the  CERT/CC,  references 
his  paper  on  the  subject  ■  www.newsfactor.com 
/perl/story/14989,  html 

Pittsburgh  Post-Gazette  ■  "Program  helps  small  firms 
turn  the  TIDE."  March  21,  2001  ■  TIDE  has  helped 
several  local  manufacturing  companies  gain  better 
access  to  technology  ■  Quotes  Stephen  Cross  of  the  SEI. 

Register  ■  "Everything  you  ever  wanted  to  know 
about  PC  security."  July  24,  2001  ■  States  that,  "Security 
clearinghouse  CERT  has  published  advice  on  how 
home  PC  users  can  protect  themselves  from  the 
security  threats  posed  by  the  Internet.  For  the  most 
part  the  document  is  clearly  written  and  provides 
good  arguments  why  it  is  in  a  user's  best  interest  to 
keep  security  patches  and  antiviral  pro-tection  up  to 
date."  ■www.theregister.co.uk/content/55/20609.html 

Time  Digital  ■  "The  Digital  Dozen:  Tech's  Movers  and 
Shakers  for  2001."  November  2000  ■  Tom  Longstaff, 
head  of  research  and  development  for  the  CERT/CC, 
is  identified  as  one  of  the  "digital  dozen." 

Wall  Street  Journal  ■  "Electric  Fences."  April  23,  2001 

■  Even  small  businesses  need  to  protect  their  computer 
networks.  This  article  describes  what  needs  to  be 
protected,  and  gives  instructions  about  how  to 
protect  it.  Quotes  Larry  Rogers  of  the  SEI. 

Wall  Street  Journal  ■  "Nimda  Virus  Outbreak  Slows 
For  Lack  Of  Fresh  Targets."  September  19,  2001  ■  The 
CERT/CC,  a  nonprofit,  federally  funded  group  that 
played  a  major  role  in  the  joint  government-industry 
response  to  the  Code  Red  worm,  is  still  collecting 
information  about  how  wide  Nimda  has  spread. 

Washington  Post  ■  "Computer  Worm  Called  More 
Potent  Than  Predecessors."  September  20,  2001 

■  Chad  Dougherty,  an  Internet  security  analyst  with 
CERT,  said  that  Nimda  does  not  appear  to  damage 
or  erase  data,  but  it  can  still  cause  adverse  effects. 


References  in  Leading  Software  Engineering  Publications 

More  than  one-third  of  all  articles  appearing  in  IEEE  Software  this  fiscal 
year  referenced  the  SEI's  research.  Fifty-six  percent  of  the  articles 
published  in  Crosstalk  in  fiscal  year  2001  referenced  the  SEI.  Twelve 
percent  were  written  by  SEI  authors. 
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Transition  Partners 


The  SEI  licenses  the  packaging  and  transitioning  of  improved  technoio- 
gies  into  wide  use  by  working  with  deveiopers  and  acquirers  as  weil 
as  with  DoD  and  industry  organizations  that  heip  others  adopt  new 
technology-what  the  SEI  calls  "transition  partners."'’"  The  following  list 
shows  SEI  transition  partners  according  to  the  SEI  technologies  they 
provide  (e.g.,  courses,  assessment  services). 


CERT  Coordination 
Center  Courses 

eCom  Universal,  Inc. 
Taipei,  Taiwan 

Internet  Security 
Solutions 
Taipei,  Tawan 

Klaus-Peter 
Kossakowski 
Teigte,  Germany 


Consulting  Skills 
Workshop  Course 

ChangeShop,  Inc. 
Orlando,  FL 

Gateway  Associates 
Consulting  Services 
Annapolis,  MD 

Implementing  Goal- 
Driven  Software 
Measurement  Course 

Theta  Information 
Systems 
Tampa,  FL 

Interim  Profile 

Process  Focus 
Management 
Algonac,  Ml 

Introducing  New 
Software  Technology 
Course 

Abelia  Corporation 
Fairfax,  VA 

Introduction  to  the 
Capability  Maturity 
Model  Course 

3Com 

INTERNAL  USE  ONLY 

Abacus  Technology 
Corporation 
Chevy  Chase,  MD 

Accenture 
INTERNAL  USE  ONLY 

aimware.  Ltd. 
Pittsburgh,  PA 

American  Management 
Systems,  Inc. 

Fairfax,  VA 

European  Software 
Institute  (ESI) 

NON-U. S.  DELIVERY  ONLY 
Bilbao,  Spain 

First  Data  Corporation 
INTERNAL  USE  ONLY 

Milbing  & 

Associates,  Inc. 
Pittsburgh,  PA 


iNautix 

Technologies,  Inc. 
INTERNAL  USE  ONLY 

Integrated  System 
Diagnostics,  Inc. 
Pocasset,  MA 

PaySYS 

International,  Inc. 

Process  Enhancement 
Partners,  Inc. 
Franktown,  CO 

Software  Technology 
Transition 
Andover,  MA 

Introduction  to 
Capability  Maturity 
Model-lntegrated- 
SE/SW  Course 

3Com 

INTERNAL  USE  ONLY 

aimware,  Ltd. 
Pittsburgh,  PA 

Alcyonix,  Inc. 

St-Bruno  Quebec, 
Canada 

Alexanna,  LLC 
Pittsburgh,  PA 

American  Management 
Systems,  Inc. 

Fairfax,  VA 

BAE  Systems 
INTERNAL  USE  ONLY 

Marilyn  Bush  Associates 
Philadelphia,  PA 

Center  for  Systems 
Management 
Herndon,  VA 

ChangeBridge,  Inc. 
Chantilly,  VA 

Davis  Systems 
Pittsburgh,  PA 

Gateway  Associates 
Consulting  Services 
Annapolis,  MD 

Graffius  and  Associates 
Plymouth,  MN 

Griffith  University 
Nathan,  Brisbane, 
Australia 

Harris  Corporation 
INTERNAL  USE  ONLY 

Hllbing  & 

Associates,  Inc. 
Pittsburgh,  PA 

IBM 

Southbury,  CT 

Integrated  System 
Diagnostics,  Inc. 
Pocasset,  MA 


KAMO  Consultancy 
Pittsburgh,  PA 

Kasse  Initiatives  LLC 
Gilbert,  AZ 

Lockheed  Martin 
Gaithersburg,  MD 

Giuseppe  MAGNANI 
NON-U.S.  DELIVERY 
Merate  (LECCO)  Italy 

Martin  Process 
Solutions,  Inc.  (MPSI) 
Austin,  TX 

Nomura  Research 
Institute 
Tokyo,  Japan 

NCR  Corporation 
Dayton,  OH 

Process  Assessment, 
Consulting  &  Training 
Burnsville,  MN 

Process  Enhancement 
Partners,  Inc. 

Franktown,  CO 

Process  Focus 
Management 
Algonac,  Ml 

The  Process  Group 
Dallas,  TX 

Process  Inc. 

Ottawa,  Ontario,  Canada 

Process  Strategies,  Inc. 
Walpole,  ME 

Process  Transition 
International,  Inc. 
Annapolis,  MD 

Q-Labs,  Inc. 

Greenbelt,  MD 

Raytheon  Company 
INTERNAL  USE  ONLY 

Reuters,  Ltd. 

INTERNAL  USE  ONLY 

Science  Applications 
International 
Corporation  (SAIC) 
Beavercreek,  OH 

SECAT  LLC 
La  Mirada,  CA 

SITARA  Technologies 
Pvt.,  Ltd. 

NON-U.S.  DELIVERY  ONLY 
Hyderabad,  India 

Software  Productivity 
Consortium 
Herndon,  VA 

Software  Systems 
Quality  Consulting  -  SSQC 
San  Jose,  CA 

Software  Technology 
Transition 
Andover,  MA 


StepUp  Solutions,  Inc. 
Los  Gatos,  CA 

Synchro  Cubed 
Henderson,  NV 

TeraQuest  Metrics,  Inc. 
Austin,  TX 

Theta  Information 
Systems 
Tampa,  FL 

TRW 

INTERNAL  USE  ONLY 


People  Capability 
Maturity  Model  Lead 
Assessor  Training 

TeraQuest  Metrics,  Inc. 
Austin,  TX 

Personal  Software 
Process  (PSP),  Team 
Software  Process 
(TSP),  and  Launch 
Coach  Training 

Advanced  Information 
Services,  Inc. 

Peoria,  IL 

Advanced 
Maturity  Services 
Atlanta,  GA 

Applied  Research  Lab- 
University  of  Texas 
INTERNAL  USE  ONLY 

Centro  de  Investigacion 
en  Matematicas 
Guanajuato,  Mexico 

Davis  Systems 
Pittsburgh,  PA 

EBS  Dealing  Resources 
INTERNAL  USE  ONLY 

Defense  Logistics  Agency 
PSP  Only 

U.S.  GOVERNMENT 
USE  ONLY 
Englewood,  CO 

Embedded  Software 
Professionals 
Birmingham,  Ml 

Honeywell 
INTERNAL  USE  ONLY 

Alan  S.  Koch,  Consultant 
Natrona  Heights,  PA 

KPMG 

Teynampet, 

Chennai,  India 

NAVAIR 
PSP  Only 

U.S.  GOVERNMENT 
USE  ONLY 
China  Lake,  CA 

Prodigia  S.A.  de  C.V. 
Delegacion  Coyoacan, 
Mexico  D.F. 


PS&J  -  Software  Six  Sigma 
Leonia,  NJ 

Science  Applications 
International  Corp  (SAIC) 
Arlington,  VA 

SIA  Group 
Ormond  Beach,  FL 

STPP,  Inc. 

Bradford  Woods,  PA 
STSC 

PSP  Only 

U.S.  GOVERNMENT 
USE  ONLY 
Mill  AFB,  UT 

Trilogy 

INTERNAL  USE  ONLY 

United  Defense 
Industries,  Inc. 

INTERNAL  USE  ONLY 

Xerox 

INTERNAL  USE  ONLY 


Publications 

Distribution 

Auerbach  Publications 
New  York,  NY 

Defense  Technical 
Information 
Center  (DTIC) 

Ft.  Belvoir,  VA 

National  Technical 
Information 
Service  (NTIS) 
Springfield,  VA 

SCAMPI  Assessment 
Services 

American  Management 
Systems,  Inc. 

Fairfax,  VA 

BAE  Systems 

Farlington,  Portsmouth, 
United  Kingdom 


Marilyn  Bush  Associates 
Philadelphia,  PA 

Center  for  Systems 
Management 
Herndon,  VA 

ChangeBridge,  Inc. 
Chantilly,  VA 

Cooliemon 
Harmony,  PA 

Cyber  Keji  Park,  Inc. 
Austin,  TX 

Effective  Process 
Solutions 
Morrison,  CO 

GM  Powertrain 
INTERNAL  USE  ONLY 

Harris  Corporation 
INTERNAL  USE  ONLY 

Milbing  & 

Associates,  Inc. 
Pittsburgh,  PA 

IBM 

Southbury,  CT 

Integrated  System 
Diagnostics,  Inc. 
Pocasset,  MA 

KAMO  Consultancy 
Pittsburgh,  PA 

KPMG 

NON-U. S.  DELIVERY  ONLY 
Teynampet,  Chennai, 
India 

Lockheed  Martin 
Gaithersburg,  MD 

Martin  Process 
Solutions,  Inc. 

Austin,  TX 

Multi-Dimensional 
Maturity 
Celina,  TX 


Objective  SST 
Corporation 

Ottawa,  Ontario,  Canada 
Process  Inc. 

Ottawa,  Ontario,  Canada 

Process  Advantage 
Technology,  Inc. 

Benicia,  CA 

Process  Assessment, 
Consulting  &  Training 
Burnsville,  MN 

Process  Enhancement 
Partners,  Inc. 
Franktown,  CO 

Process  Plus,  Inc. 
Richboro,  PA 

Process  Strategies,  Inc. 
Walpole,  ME 

Process  Transition 
International,  Inc. 
Annapolis,  MD 

ProcessVelocity,  LLP 
San  Diego,  CA 

Q-Labs,  Inc. 

Greenbelt,  MD 

Raytheon  Company 
Sudbury,  MA 

Reuters,  Ltd. 

INTERNAL  USE  ONLY 

RING  Associates 
Austin,  TX 

Science  Applications 
International 
Corporation  (SAIC) 
Beavercreek,  OH 

SITARA  Technologies 
Pvt.,  Ltd. 

Hyderabad,  India 

Sodalia  SPA 
Trento,  Italy 


Software  Productivity 
Consortium 
Herndon,  VA 

Software  Research 
Associates,  Inc. 
NON-U.S.  DELIVERY  ONLY 
Toshima-ku,  Tokyo, 
Japan 

StepUp  Solutions,  Inc. 
Los  Gatos,  CA 

Summit  Process 
Engineering 
Loveland,  CO 

Synchro  Cubed 
Henderson,  NV 

Synchro  PP&T,  Inc. 

El  Toro,  CA 

TeraQuest  Metrics,  Inc. 
Austin,  TX 

Theta  Information 
Systems 
Tampa,  FL 

TRW 

Redondo  Beach,  CA 

Software  Capability 
Evaluation  Team 
Training 

Abacus  Technology 
Corporation 
Chevy  Chase,  MD 

aimware.  Ltd. 
Pittsburgh,  PA 

Integrated  System 
Diagnostics,  Inc. 
Pittsburgh,  PA 


Work  With  DoD  Software  Collaborators 

The  DoD  Software  Collaborators'’^  are  a  network  of  providers  of  software 

research,  services,  and  products  that  help  both  program  managers  and 

software  developers. 

In  FY2001,  the  SEI  worked  with  many  organizations  in  the  DoD  Software 

Collaborators  network,  including 

■  Aeronautical  Systems  Center  Engineering 
Directorate  (ASC/EN) 

■  The  Aerospace  Corporation 

■  Air  Force  Engineering  and  Technical  Management 
Division  (AF/AQRE) 

■  Aviation  and  Missile  Command  (AMCOM)  Software 
Engineering  Directorate 

■  Computer  Resource  Support  Improvement 
Program  (CRSIP) 

■  Defense  Contract  Management  Agency 

■  Headquarters  Air  Force  Materiel 
Command/Directorate  of  Engineering  and 
Technical  Management,  Engineering  Policy 
Maintenance  Branch  (HQ  AFMC/ENPM) 

■  MITRE  Corporation 

■  Naval  Air  Systems  Command  (NAVAIR) 

■  Naval  Postgraduate  School  (NPS) 


■  Office  of  the  Secretary  of  Defense  Tri-Service 
Assessment  Initiative 

■  Oklahoma  City  Air  Logistics  Center 

■  Open  Systems  Joint  Task  Force  (OSJTF) 

■  Office  of  the  Secretary  of  Defense  Tri-Service 
Assessment  Initiative 

■  Practical  Software  Measurement  (PSM) 

■  Space  and  Naval  Warfare  Systems  Center  San 
Diego  (SPAWAR  SSC  SD) 

■  U.S.  Communications-Electronics  Command 
(CECOM)  Software  Engineering  Center 

■  U.S.  Air  Force  Software  Technology  Software 
Center 

■  U.S.  Army  Tank-Automotive  and  Armaments 
Command  (TACOM)  Life  Cycle  Software 
Engineering  Center 

■  Warner  Robins  Air  Logistics  Center,  Software 
Engineering  Division  (WR/ALC-LYS) 
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Funding  for  fy200i  and  support  for  the  SEI's 
DoD  Sponsors 

The  SEI  received  $50.1  million  in  funding  for  FY2001.  The  two  charts  below 
show  this  funding  organized  by  funding  organizations  and  by  type  of 
funding.  A  "project  work  statement"  (PWS)  is  a  task  order  from  a  specific 
government  program  to  perform  specific  work.  A  "cooperative  research 
and  development  agreement"  (CRADA)  is  an  agreement  with  industry  and 
academic  collaborators.  "Basic"  funding  is  funding  provided  by  the  Office 
of  the  Under  Secretary  of  Defense  for  Acquisition,  Technology,  and  Logistics, 
the  SEI's  primary  DoD  sponsor,  to  execute  the  SEI  technical  program. 
"Other"  funds  come  from  course  and  conference  fees,  and  other 
recovered  costs. 


FY2001  Funding 
BY  Organization 


FY2001  Funding 
BY  TYPE 


10;  Cooperative  Research  and 

Navy  2  /o  ^  Development  Aeieements  8% 


Joint  Military  2%. 


If:: 


Civil  14% 

Other  19% 


In  FY2001,  the  SEI  received  $21.2  million  in  funding  for 
specific  projects  in  the  form  of  project  work  statements 
with  the  armed  forces  or  federal  agencies.  That  funding 
came  from  the  following  sources: 

■  Navy 

■  Army 

■  Air  Force 


other  19% 


Cooperative  Research 
and  Development 
Agreements  8% 


Project  Work 
Statements 

other  Federal 
Agencies  33% 


>  Navy  5°/o 

r  Federal  Army  7% 

Air  Force  27% 

Joint /Other 


■  Joint  /  Other  DoD 


■  Other  Federal  Agencies 


Abbreviations,  Acronyms,  and  Initialisms 


AF/AQRE 

Air  Force  Engineering  and  Technical 
Management  Division 

NASA  IV&V 

National  Aeronautics  and  Space 
Administration  Independent Verifica- 

AIS 

Advanced  Information  Services,  Inc. 

tion  and  Validation  Facility 

AMCOM 

Aviation  and  Missile  Command 

NAVAIR 

Naval  Air  Systems  Command 

ASTA 

Accelerating  Software  Technology 

NDIA 

National  Defense  Industrial  Association 

Adoption 

NPS 

Naval  PostGraduate  School 

ASC/EN 

Aeronautical  Systems  Center  Engineer- 

NRO 

National  Reconnaissance  Office 

ing  Directorate 

OCTAVE™ 

Operationally  Critical  Threat,  Asset,  and 

ATAM^" 

Architecture  Tradeoff  Analysis  Method^” 

Vulnerability  Evaluation™ 

CBA  IPI 

CMM®-Based  Assessment  for  Internal 

OSD 

Office  of  the  Secretary  of  Defense 

Process  Improvement 

OSJTF 

Open  Systems  Joint  Task  Force 

CCT 

Control  Channel  Toolkit 

OUSD  (AT&L) 

Office  of  the  Under  Secretary  of  Defense 

CECOM 

U.S.  Communications-Electronics 

(Acquisition,  Technology,  and  Logistics) 

Command 

PAIS 

Process  Appraisal  Information  System 

CERT/CC 

CERT®  Coordination  Center 

P-CMM 

People  Capability  Maturity  Model 

CMM 

Capability  Maturity  Model® 

PEO 

Program  Executive  Office 

CMMP" 

Capability  Maturity  Model  Integration 

PEO/SYSCOM 

Program  Executive  Officers  /  Systems 

CMMI-SE/SW 

Capability  Maturity  Model-Integrated 

Command 

for  Systems  Engineering/Software 

PLP 

Product  Line  Practice 

Engineering 

PSM 

Practical  Software  Measurement 

CMMI-SE/SW/IPPD 

Capability  Maturity  Model-Integrated 
for  Systems  Engineering/Software 

PSP 

Personal  Software  Process 

Engineering/Integrated  Product  and 

QAW 

Quality  Attribute  Workshop 

Process  Development 

SAE 

service  acquisition  executive 

COTS 

commercial  off-the-shelf 

S&T 

science  and  technology 

CRADA 

cooperative  research  and  development 
agreement 

SA-CMM 

Software  Acquisition  Capability  Maturity 
Model 

CRSIP 

Computer  Resources  Support  Improve- 

SBIRS 

Space  Based  Infrared  Systems 

ment  Program 

SCAMPI 

Standard  CMMI  Assessment  Method  for 

CURE 

COTS  Usage  Risk  Evaluation 

Process  Improvement 

DD21 

21st  Century  Land  Attack  Destroyer 

SE-CMM 

Systems  Engineering  Capability  Maturity 

DISA 

Defense  Information  Systems  Agency 

Model 

DMSO 

Defense  Modeling  and  Simulation  Office 

SEI 

Software  Engineering  Institute 

DNS 

domain  name  system 

SEIR 

Software  Engineering  Information 

DoD 

Department  of  Defense 

Repository 

OSIP 

Defense  Strategic  Impact  Program 

SEPG 

Software  Engineering  Process  Group 

DSU 

Dependable  Systems  Upgrade 

SIM 

security  improvement  module 

OTIC 

Defense  Technical  Information  Center 

SPAWAR  SSC  SD 

Space  and  Naval  Warfare  Systems  Center 
San  Diego 

Software  Process  Improvement  Network 
Standard  Procurement  System 

EA 

EBS 

evolutionary  acquisition 

Electronic  Brokering  Services 

SPIN 

SPS 

EIA 

EIA/IS 

Electronic  Industries  Alliance 

Electronic  industries  Alliance  Interim 

SR 

special  report 

Standard 

SRE 

Software  Risk  Evaluation 

HIPAA 

Health  Insurance  Portability  and 
Accountability  Act 

SSEPG 

Software  Systems  Engineering  Process 
Group 

HLA 

High  Level  Architecture 

STR 

Software  Technology  Review 

HQ  AFMC/ENPM 

Headquarters  Air  Force  Material 

SW-CMM 

Capability  Maturity  Model  for  Software 

Command  /  Directorate  of  Engineering 
and  Technical  Management,  Engineer- 

TACOM 

U.S.  Army  Tank-Automotive  and 
Armaments  Command 

ing  Policy  Maintenance  Branch 

TIDE 

Technology  Insertion,  Demonstration, 

lATAC 

Information  Assurance  Technology 

and  Evaluation 

Analysis  Center 

TN 

technical  note 

ISA 

Internet  Security  Alliance 

TR 

technical  report 

ITA 

independent  technical  assessment 

TSP 

Team  Software  Process 

MBV 

model-based  verification 

TTW 

WR/ALC-LYS 

Technology  Transition  Workshop 

Warner  Robins  Air  Logistics  Center, 
Software  Engineering  Division 
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Symposium  held  in  Pittsburgh 
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Software  Engineering 
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Carnegie  Mellon/SEI 
Master  of 

Software  Engineering 
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People  Capability  Maturity 
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OCTAVE*  Framework, 
Version  i.o  published 

Product  Line  Practice 
Framework  published 
on  the  Web 


Software  Engineering 
Information  Repository  (SEiR) 
established  on  the  Web 
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responded  to  Melissa  virus 
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Rate  Monotonic  Analysis 
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First  European  Software 
Engineering  Process  Group 
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established  on  the  Web 
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